Can Active Directory Really Simplify Management And Reduce TCO

Did you know that according to studies from IDC and the Gartner Group, no matter which operating system you have each workstation in your network is costing you a minimum of £2000 per annum?

Did you know further that each server is costing you £10000.00 per annum? How many of us think that these figures are too high? ( Note I've selected the minimum costs!).

How often do we even think about TCO (total cost of ownership) and how to make managing our network easier? Of course we care about making our systems more manageable but the truth about our thought processes tends to be more along the lines of:-

How can I prevent John from accessing those applications?

I wonder how many people will have forgotten their passwords today?

Another virus has come out and I need to deploy the updates to all my workstations immediately, who is available to do this?

I hope management isn't going to change how our users access the internet again. It takes ages to reset the settings on each PC. I may need to budget for some extra staff

Essentially the thought processes tend to revolve around fire-fighting or crisis management.

Now stop for a moment and think. What if you could effectively manage your entire network infrastructure at a virtual touch of a button?

Apart from gaining more time to proactively manage your network, you could actually be doing your company a huge favour and save them an immense amount of money.

In the Gartner Group's Desktop 2003 TCO update last September, the report states that Enterprises should focus on manageability to achieve bigger TCO reductions.

In order to understand why Active Directory (AD) is a key component to reducing the TCO of a network we first need to ask ourselves the following questions:-

1. What is TCO and how much does it impact on us?

2. What opportunities are available to reduce our TCO?

3. Where can AD help reduce the TCO of our network?

What is TCO and how much does it impact on us?

The TCO of a network can be broken down into two sections:-

1. Direct Costs. This is the cost of:

* Hardware, software and the ongoing maintenance of these components

* Operations and technical staff required to support and manage your infrastructure. These include people such as help desk personnel and IT architects.

* Administration staff. These are the people required to purchase the hardware and software components that make up your infrastructure and hire the operations and technical staff.

These would include people in the purchasing, finance, HR and legal departments as well as people who would train your users on how to effectively use their hardware and software.

2. Indirect Costs. These are generally difficult to quantify but would include costs due to:-

* Downtime. This could be the cost of your servers crashing and causing a knock on effect on customers and employees. E.g. customers not being able to get hold of important information immediately may go to a competitor. Employees, such as data input operators, will be unable to work thus costing the company money.

* End-user operations. Gartner coined the term Futzing a number of years back talking about End User operations that wasted time (i.e. users could change anything they wanted on their PC including systems settings via control panel etc.). These all resulted in expensive help desk costs.

* Data Loss. This is the cost of data no longer being available, for example, due to a corrupt database or catastrophic failures of servers. Imagine the cost to an on-line company such as Amazon.

Companies such as IDC and the Gartner Group regularly produce reports on the TCO of ownership for each component in your network.

Using the criteria derived from direct and indirect costs, the largest cost component is your Windows workstation, which according to reports is approximately £2000+ per workstation per year and £10,000+ per server per year.

So in an environment with five servers and fifty workstations, you are paying in the region of £150,000+ in terms of TCO.

Each vendor has white papers conducted by independent research organisations, such as Gartner, comparing the TCO of their OS against other vendors. For example, you can freely access Microsoft's (there I've mentioned the 'M' word) at

It is always difficult to know which paper to believe when there appears to be a complete contradiction in one paper over another.

However, it is my belief and many other senior IT executives, that whether we love or dislike Microsoft products, Microsoft's major strength has always been in the area of 'Ease of Use.' This strength alone provides major gains in TCO from reduced training and support costs.

Now these may appear inordinately high (and note the minimum costs quoted have been used with a few pounds taken off for good measure) but try doing the calculations for your own network and see what figure you come up with. Now what if effective use of AD could substantially reduce your TCO on an ongoing basis by say 15-30% or more per year per machine?

What Opportunities are Available to Reduce Our TCO?

There are several opportunities for us to reduce the TCO both from an end-user and an operations perspective.

From an end-user perspective, we can

1. Automate deployment by supplying a tested and controlled method of installing and removing applications, updates and patches.
2. Reduce user error by locking down our workstations depending on the type and IT literacy of our users.
3. Ensure users store data such as documents and emails centrally rather than on their computers.

From an operations perspective, we can

1. Automate labour intensive administration tasks
2. Eliminate and focus technical support calls
3. Integrate diverse applications and databases

Where can AD help reduce TCO?

AD is a powerful database containing references to all objects that can be accessed via a network. These objects include users, groups, workstations, servers, shared folders and printers essentially it is a central repository for all network information.

Each set of objects can be put into logical containers called OUs (organisational units). These OUs can represent departments, regional areas or projects. AD is a core component of Microsoft Windows 2000 and Windows 2003 server versions and above.

AD derives much of its power by enabling an administrator to quickly and easily access and manage each object in the database by the judicious use of security and group policy tools applied to an OU. These tools can help us reduce the TCO from both the end-user and operations perspectives discussed in the section marked 'What Opportunities are Available to Reduce Our TCO.'

Let's go through these.

End-user perspective

From an end-user perspective, group policies enable us to:-

1. Automate deployment. Quickly and easily deploying updates, applications and patches to workstations directly or based on workstations that specific employees use. Hence, if employee X moves to workstation2, the software policy will follow employee X to workstation2, whilst at the same time prevent Employee Y from accessing the software on workstation1.

2. Reduce user error. This can be done by locking down every workstation depending on the type of user and IT literacy of the user. For example, a group policy applied to the finance OU containing users in the finance department may prevent the finance users from accessing the registry tools, the command prompt and prevent them from changing their desktop colours and bitmaps. Whereas a group policy applied to an OU containing users working on the IT helpdesk may only prevent the helpdesk users from accessing registry based tools.

3. Ensure users store data centrally. Prevent users from saving documents on their desktops and hard disks. This ensures that these documents always get stored in the users' home directories or designated storage areas on servers. This also ensures that each user's data will always gets backed up and managed by the corporate server maintenance policies.

Operations perspective

From an operations perspective, AD tools have a single consistent central place to manage users, groups and network resources. These tools can enable us to reduce the TCO from an operational perspective in the following areas:-

1. Automate labour intensive tasks. These tasks could be the aforementioned deployment of software and updates. It could also be the reconfiguration of applications such as how much hard disk space should be used for Internet Explorer caching.

In addition, an administrator can also quickly deploy images of the corporate workstation build for new PCs without the need for a technician to be present at the workstation using a technology called RIS (remote installation service).

2. Eliminate and focus technical support calls. Due to the desktops being better locked down, many support calls from accidental user error will be greatly reduced. In addition, there is security available for delegating common administrative tasks. This means that tasks such as resetting passwords or printer management can be assigned to designated 'PC wardens' in each department.

For example, a PC warden in the marketing department would be a user in that department with slightly more IT literacy and responsibility. Delegation of management helps to focus support calls and provide faster response times for very basic user problems as the designated PC warden is a member of the department and will, in many cases, be working near to the affected users.

3. Integrate diverse applications and databases. Due to the extensible nature of AD, it allows the integration of different applications and databases. An example of this is an email application such as Microsoft Exchange 2003, which can take advantage of the user objects in the AD database.

The benefit is that you no longer need to create separate users and groups for use with the email application. Instead an application such as Exchange 2003 will detect the names of all existing users in the AD database and can create mailboxes for each user at installation time. In addition, management of the email system can also be conducted from the same tools used to manage your basic network objects.


In summary, a service such as Microsoft's Active Directory can make managing your network simpler and help to dramatically reduce the total cost of ownership. Without a similar service in place, it is well worth you making an analysis of the savings that could be made by moving towards AD.

In a report of this size, we can only give you a snapshot of some of these areas. Others can be found on the TCO saved from better security and many other areas such as AD's fault tolerance.

Ben Chai is author of Migrating from Windows NT to Windows 2000 and has worked on several AD projects in the financial sector. He can be emailed via