Setting up the tool and its customer organizations
As the number of Internet users continues to grow, so does the number of Web-based provisioning tools that let those users perform administrative tasks within a Windows and IIS environment. The Microsoft Web Admin tool is one such application. Web Admin is a sample Web-based provisioning tool that demonstrates the use of Active Server Pages (ASP) and Microsoft Internet Explorer (IE) 4.0 or later to create, modify, and delete users, groups, and organizational units (OUs) from Windows 2000 Active Directory (AD). Web Admin uses ASP and VBScript to access the Windows Management Instrumentation (WMI) API and request information from AD. WMI translates these requests into DS Provider calls that communicate with the Active Directory Service Interfaces (ADSI) API and that translate each operation into a set of ADSI calls that can perform such tasks as creating OUs, adding users to an OU, or removing users from groups. The tool is an excellent starting point for Web developers who want to create an application that provides provisioning services to customers.
Because the tool is Web-based, an IIS administrator often must implement it—a more complicated process than simply setting up a new Web site, as the sidebar "Your Role in Implementing Web Admin" explains. The process includes preparing the IIS server, configuring Web Admin, and setting up customer organizations (which the tool adds to AD as OUs). To participate in this process, you need to understand the tool's setup and configuration and how Web Admin uses administrative roles, OUs, and Win2K security to provide a structure in which to deliver provisioning services.
Setting Up the IIS Server
To begin, download Web Admin from http://www.microsoft.com/serviceproviders/downloads/webadmin_overview.asp and install the tool on a Win2K Server member server or domain controller (DC) configured with IIS 5.0. (For performance and security reasons, I recommend against installing the tool on a DC.) The computer must be in the Win2K native-mode domain that you want to administer. Because of security-credential concerns, you must place the tool's files and folders in a folder on the local drive, and you must modify the permissions for that folder so that only the SYSTEM account and the local Administrators group account have Full Control.
Web Admin includes the adstype.dll file. For the tool to work properly, you must register this file on the IIS server. To do so, open a command prompt and run the following command:
<path to Web Admin folder>
Note that the tool's documentation instructs you to include a build number placeholder in this command, but this instruction is incorrect. The application's folder structure doesn't include the build number.
After you register adstype.dll, set up a Web site or virtual directory named WebAdmin. (Although you can use a virtual directory in the Default Web site, Microsoft recommends against doing so.) During this process, you'll receive a prompt for a directory location; browse to the local Web Admin folder's HTML subfolder. You'll then receive a prompt to configure access permissions; leave them in their default state. Make sure to start the IIS service for whichever Web site you use.
Configure the Web site's properties to disable Anonymous access, enable Basic authentication, and set the Basic authentication domain name to a backslash (\). Enable Secure Sockets Layer (SSL) on the IIS server if your organization requires that you do so.
Configuring Web Admin
Configuring the tool is simply a matter of using IE to access Web Admin, then running the Web Admin Setup Wizard. Log on to the IIS server as a member of the Domain Admin group or Enterprise Admin group. (Be sure to log on to the domain and not just the local computer, which can sometimes happen when you log on with the Administrator account. If you log on locally, you won't be able to use Web Admin.) Open IE and go to http://servername/webadmin, where servername is the name of your IIS computer. Figure 1 shows the tool's initial interface.
In addition to logging on to the server, you need to log on to the Web Admin tool. You'll receive a prompt for a username and password when you first log on to the tool or after you begin to run the Web Admin Setup Wizard, depending on whether Integrated Windows authentication is enabled for the tool's Web site. (If Integrated Windows authentication is enabled, you'll receive the prompt when you run the Setup Wizard; otherwise, you'll receive the prompt as soon as you try to access the tool. Web Admin uses Basic authentication only. When you run the Setup Wizard, Web Admin disables Integrated Windows authentication if it's enabled; if you enable Integrated Windows authentication after you run the Setup Wizard, you won't be able to access the tool.)
After you run the Setup Wizard, you'll be prompted for a username and password whenever you try to access the tool. As when logging on to the IIS server, you must take into account special logon considerations when logging on to Web Admin. If the IIS computer is a member server and the local Administrator account password is the same as the domain Administrator account password, you must use the domain prefix (e.g., domain01\administrator) when you log on to Web Admin.
After the tool's opening screen appears, click Go Setup to launch the Web Admin Setup Wizard. By default, the wizard creates the Hosting OU and the Services OU and adds several security groups to the Services OU. The wizard also removes Authenticated Users from first-level containers. Be sure to notify your domain administrator about these changes before you implement the tool.
From the wizard's final screen, you can go to the tool's Configuration page or you can start using Web Admin. The Configuration page shows a list of options, derived from the tool's config.asp file, that you can use to configure the tool's features. Any changes you make on this page affect only the server you're connected to and remain in effect only until you restart the Web service or reboot the computer. To make permanent changes, you can modify config.asp directly. If you do so, however, you must edit every config.asp file on every server on which you place Web Admin to be sure that your changes are consistent across all the servers.
Setting Up the Customer Organizations
After you set up your IIS server and configure Web Admin, you're ready to set up your customer organizations. However, you first need a basic understanding of the organizational structure that the tool uses. See the sidebar "Web Admin's Organizational Structure" for an explanation of this structure.
You can use the New Customer Wizard to create a customer OU, a customer-specific Web site, and the site's related folder structure. (When you want to create a customer organization without creating a corresponding Web site, use the simpler New Customer Org tool. Simply click the New Customer Org link and fill in the necessary information.) Only Domain Administrators can use the New Customer Wizard. (See "Web Admin's Organizational Structure" for a detailed explanation of the tool's administrative roles.)
To launch the wizard, click New Customer in the Web Admin interface, then click Continue. On the New Customer Name screen, you must provide a customer name. In addition, you have the option of enabling this customer organization as a multi-organizational customer OU. When you select this option, you can add a user to the organization and configure that user as a Multi-Organization Administrator. Those users can then create and manage other customer organizations within that multi-organizational customer OU. A multi-organizational customer OU includes an additional security group called MultiOrgAdmin, which contains any users you configure as Multi-Organization Administrators.
Click Next. The wizard adds the new customer organization OU to AD and configures the OU with the appropriate security groups. Even if you were to close the New Customer Wizard or Web Admin at this point, the new OU would still exist in AD.
The next screen, which lets you select the services you want to enable, provides two options: the Exchange 2000 check box and the Web Server check box. You must select the Web Server check box; otherwise, Web Admin will generate an error. Select the Exchange 2000 check box only if you plan to use Web Admin to offer email support.
On the next screen, select the IIS server on which you installed Web Admin. Review the Web services information for accuracy, then click Next. Many users have reported receiving an error at this point. If you receive an error, click Back on your browser, but don't click Next again or the Web Admin tool will add a duplicate Web site and related folder structure for the customer organization. Instead, select Web Server from the drop-down list at the top of the screen, and the correct screen will appear.
Review the information on the screen, then click Click Here to Manage this Web Service. You can pause or stop the service on the new Web site, or you can manage the new customer organization. If you choose to manage the customer, the wizard links you to Web Admin's Organizational Management component, from which you can add and manage users, groups, and child organizations and perform several other administrative tasks such as assigning administrative roles.
To create a new user account, click the New User icon and fill in the appropriate information. At this point in the process, you can select one or both of two important options. To configure the user to be a Multi-Organization Administrator—assuming that you set up the customer organization to be a multi-organizational customer—select the MultiOrg Administrator check box. A Multi-Organization Administrator can create and manage multiple organizations, but the number of administrative tasks that a Multi-Organization Administrator can perform is limited. To configure the user as an Organization Administrator, select the Organization Administrator check box. An Organization Administrator can manage only one organization but can perform many administrative tasks. Select both options to give the user the ability to create customer organizations and to give the user extensive administrative privileges within those organizations. Also, be aware that Multi-Organization Administrators can designate users—including themselves—as Organization Administrators. Therefore, even when you assign only the Multi-Organization Administrator role to a user, that user can configure himself or herself to be an Organization Administrator. To configure the user as an End User, leave both check boxes cleared.
After you've created users in Web Admin, they can log on to the tool and perform various tasks according to their administrative roles. All users, except Domain Administrators, must use the user principal name (UPN) logon method (e.g., user1@cust1a for User1 in the Cust1a customer organization) to log on to the domain. If you installed Web Admin on a DC, you must add the Domain Users group to the Log on locally policy in the Domain Controller OU's Group Policy Object (GPO).
When a user logs on to Web Admin, the tool displays the functions available for that user's specific administrative role. For example, when a Multi-Organization Administrator logs on to the tool, the interface displays the New Customer Org link, which lets the user create customer organizations. If the Multi-Organization Administrator is also an Organization Administrator, the interface displays the New User, New Group, and New Organizational Unit icons. (The New Organizational Unit icon lets the user create child organizations.) End Users, however, don't see any of these options.
Get to Know the Possibilities
Web Admin is a great introduction to the possibilities of delegating administrative control of your application services and giving customers the ability to perform day-to-day tasks that might otherwise challenge your organization's resources. To learn more about the tool, visit http://communities.msn.com/webadmintoolupdate, which includes information, links, message boards, and newsgroups. The best way to understand the tool, however, is to install it, create customer organizations and users, and test the tool's functionality.