Using the methods of the IADsGroup and IADsUser interfaces, developers can create applications that rely upon the Windows NT SAM for managing application security rather than other methods, such as the Registry or external databases for access control and authentication. In addition, the systems administrator can script all group management activities.
In a properly managed file system, you can also use ADSI to manage permissions on directories and access to applications. Although ADSI cannot be used to directly modify the ACLs on a given resource without the ADSI Resource Kit extension DLLs, it is ideally suited to managing the group memberships for group ACEs within each ACL.
Beyond the creation of new groups and addition of group members, the potential for extension of default functionality is limited only by your own creativity. With a small amount of programming knowledge and the Active Directory Service Interfaces, the ability to script tedious group administration tasks can result in a reduction of risk to the computing environment, more efficient administration techniques, and maybe even a chance for you to go home on time.