Windows CE on the domain

  • Article

Suppose you have a CE device and you want it in on an enterprise.  This blog contains the brain dump that I'm occasionally asked to present surrounding this.  My perspective is from a pretty low-layer/protocol layer.  I just don't have the expertise in domain management to talk about big-picture issues.  So please no questions like "John how should I configure my SMS server to maximize throughput and user experience across forest to multiple layers of distributed clients" :)

The base protocol for communication to Active Directory servers is LDAP.  WinCE contains the LDAP client API (wldap32.dll) that was ported from Win2003.  The reference documentation is available at here.  This includes differences between CE+desktop LDAP.  If you have the credentials of a user or a machine, your CE device will effectively look like any other XP box as far as the Active Directory is concerned.  LDAP API's let you query records, modify and delete records,

Sometimes you know the domain you're on (like REDMOND or MARKETING) but you don't know the Active Directory server name to actually make any sense of this (like MARKET-DC1).  LDAP needs this name, however.  WinCE supports domain discovery via the API DsGetDcName.  It is not a port of the desktop implementation of this, but from the app perspective it should be the same experience.

LDAP in the big scheme of things, is somewhat primitive.  On Windows XP they have Group Policy Objects (GPO), which allow for doing really advanced things like setting IE's configuration, installing software, and so on.  WinCE does not have support for writing group policy objects.  You could do it using the basic LDAP API's, but to get all the corner cases right this would be a fair amount of work.

Another enterprise related technology that WinCE does not support is machine account creation.  When you first put a WinXP box onto a domain, you enter your user credentials and those credentials are used to create a new machine account on the domain.  This machine account basically can go access ACL privileges after that.

There are other mechanisms of configuring CE devices that don't require writing up raw LDAP queries, such as SMS or 3rd party solutions.  The blog ends here though since that where my knowledge ends.

[John Spaith]