In Windows NT 4.0, the SAM serves primarily as an administrative tool. An NT administrator can create user accounts and computer accounts that manage access to network resources and can simplify resource access management by creating groups to organize the user accounts. A user logging on to a computer in an NT 4.0 domain is really only concerned about whether an administrator has created a user account that will let the user log on and whether that user account has access to the appropriate resources. Otherwise, from a user's perspective, NT 4.0's directory service is almost irrelevant.
When you compare the directory services in NT 4.0 with the directory services in Windows 2000 Active Directory (AD), you notice several differences immediately. One of the most significant is that you can now create many new object types. In addition to the directory objects that you can create in NT 4.0—users, groups, and computers—you can now create shared folders, contacts, and printers. Why would you want to add printers or shared folders to your directory? One important reason is to help users more easily access the network resources they need to perform their jobs. Let's look at an example.
Imagine that you're visiting a remote office that you're not familiar with, and you need to locate a printer so that you can print a report. The people familiar with the local network aren't readily available, so you're left to find the printer, set up the connection, and collect the print job once it prints.
NT 4.0 Domain
If the remote office runs an NT 4.0 domain environment, you have to browse for a shared printer. If it's a large NT 4.0 environment, the initial browse list of machines that have shared resources in the domain can include hundreds of machines. When viewing the browse list, the only way to determine whether a machine has a shared printer is to choose a machine and wait for it to respond with a list of shared resources. After finding a machine with a shared printer, you have to examine the printer's name to determine its capabilities—and just because you can see the printer on a browse list doesn’t mean that you have permission to print to it. Once trial-and- error searching yields a printer that you can print to, you then face what can be the greatest challenge of the entire process: figuring out where the physical printer is located so that you can retrieve your print job.
If the remote office has published the printers to AD, you get immensely faster results when you conduct a similar search. Click Start, Search, and chose printers to bring up the Find Printers dialog box, as Figure 1 shows. The Find Printers dialog box lets you search for printers based on printer name, location, model, capabilities, and several advanced criteria. When you submit the search, you query the AD instead of browsing inefficiently through an NT 4.0 domain.
This process doesn’t apply just to printers. In a well designed AD that's populated with relevant information, you can efficiently locate all kinds of information that can help you become much more productive. You can locate shared folders without knowing the name of the server that's sharing the resource or remembering its share name. You can also perform searches to locate email addresses and phone numbers of other users on the network.
A New Paradigm
Initially, many administrators don't understand the benefit of AD's ability to store such an abundance of information. To be honest, I didn't get it when I started exploring AD. But once I changed the way that I look at directory services (I now consider it not just an administrative tool, but also an important tool for users), I began to understand why Win2K is such a significant new product. Many products change the way administrators do their jobs, but Win2K, if you implement it correctly, has the potential to make it much easier for your users to share, locate, and leverage information. And that's good—very good.