The Windows Active Directory is a hierarchical framework of objects. This provides information of the various Active Directory objects, such as resources, services, user accounts, groups, and so on, and sets the access permission and security on these objects. The structure of the Active Directory network components are:
Groups are the Active Directory objects that can contain the users, computers, and other groups (nested groups). There are two types of groups, namely, Security Groups and Distribution Groups. While a security group is used to group users, computers, and other groups to assign permissions to resources, the distribution group is used only to create e-mail distribution lists. The scope of the group can be Local, Domain Local, Global, or Universal.
A user, in order to logon to a computer or a domain, requires a user account in the Active Directory, which establishes an identity for him/her. Based on this identity, the operating system authenticates the user and grants access to the domain resources. There are two pre-defined user accounts, administrator and guest, that are used to logon initially to make the necessary configurations.
Similar to user accounts, the computer accounts are used to provide necessary authorization to the computers for using the network and domain resources.
The basic security permissions supported by Windows, such as Read, Write, and Full Control, are available to each and every objects on the Active Directory. Apart from these standard permissions, AD also provides some special permissions based on the object class,such as List contents, Delete Tree, List Object, Write Self, Control Access, Create Child, Delete Child, Read Property, Write Property, and so on.
These permissions have to be assigned to the users or groups to restrict or grant access to the Active Directory objects. Each assignment of permissions to users or groups is referred to as Access Control Entry (ACE).
Permissions set on a container (or a parent object) can be applied to its child objects as well. This is referred to as inherited permissions. The Active Directory security model allows you to define explicit permissions or propagate permissions to its child objects. For example, you can specify the following conditions for propagation:
Containers can be any Active Directory components like Domain, Organizational Units, and only objects within those containers can inherit permissions from the parent.
Some commonly used Active Directory terminologies are discussed in the next topic.