My Vote for an AD Schema Change

I have been thinking a bit lately about how our computing environments are evolving into a more dynamic mode. In this article, I make the case that Microsoft should make some schema changes so that we have a standard way to do what we want in the future.

I have been thinking a bit lately about how our computing environments are evolving into a more dynamic mode.   In this article, I make the case that Microsoft should make some schema changes so that we have a standard way to do what we want in the future.  If you think about combining Virtual Desktops with Virtual Applications and things like roaming profiles, you begin to think about separating out parts (containerizing them) and layering them together.

For example, if you have a lot of VDI going on, rather than store a complete OS image for each user’s virtual desktop, it would be great to store just one image of a “stateless” operating system, then layer on the personality changes needed for each instance.  Because the hardware has been virtualized underneath, there is an awful lot of commonality in the bits.  Sure, you need a computer name and a domain account identifier, but until you think about applications and users, the OS bits are all the same.

Add to this that you can separate out applications, using virtual application technology.  Now separate out user stuff, by something like roaming profiles.  This is the kind of dynamic world we are moving to, where layers of components are brought together “just in time” to meet our computing needs.

In layering applications and users, we will probably think about the user first, and what applications they should have, rather than the other way around.   It might be easier to implement by adding apps then the user, but since much of the software applications are licensed on a per user basis we will probably always have to think of the user first.  Which brings us into today’s topic!  How do we associate users with applications?

Unfortunately, there is no one magic bullet to do this.  If you use Citrix XenApp (aka Presentation Server, Metaframe, or just “Citrix”) you use (one of) the Citrix Management Console(s) and the association is stored in that private database.  If you use SMS/SCCM, same story.  Same for Symantec Altiris.  Ditto TriCerat Simplify Lockdown.  Even Microsoft App-V has its own independent database for storing these records.

Ultimately, Enterprises are often using Active Directory Domain Services (ADDS) in a way that it wasn’t intended for.  Many companies create an ADDS Container per application, and then add users as members to the container.  Now when they go to this tool or that tool to assign users to an application they are dealing with, they don’t have to worry about the specifics of which user.  They just pick the AD container for the application.

This model fits the enterprise environment well because it splits the tasks of handling applications from that of associating users with the applications.  Quite often, the personnel that manage the applications are different than those who assign them.  This allows application assignments by personnel that do not need to be trained in these specialized tools.  ADDS is all they need to know.

On the other hand, this model is awful for the ISV community.  Each customer creates his own scheme in ADDS for how to identify the applications.  So there is no commonality between customers on how this is done, and thus no standard tools for managing and reporting and integrating into all of those management consoles.

What we really need is for Microsoft to advance the application into a first class citizen in Active Directory.  Computers, Users, and Applications.  Through a standard schema change everyone could build the tools that leverage a single infrastructure that will make all of this dynamic and just-in-time layering a reality without locking into a single vendor for all your needs.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I just got hangup on the ADDS beeing repreated. What the heck is ADDS? Never heard of. I sure know ADP, whatever, Active Directory Partitions, ADAM, Active Directory Applications Mode. ADDS? Nothing, For certanly it's not a double acronym along. Active Directory Directory Services...Or is it something that adds? Nah, far off. So what the heck is ADDS???


My bad!  I should have defined it when I first used the abreviation.  I will patch the main article.

ADDS = "Active Directory Directory Services".  Microsoft kindof rebranded what we have known as simply AD.  


I wouldnt hold ur breath.

Application shopping solutions fall into this solution set. And if you look to MS they deliver this via SC Service Manager (beta) product. Well thats assuming it hasnt fallen out of scope with the re design of this product.

A small step would be fixing up roaming profiles



Hi Tim,

ADDS stands for "Active Directory Domain Services". See, for example, here:


Duh!  It was late when I did that.  Thx.