Active Directory Overview

The Windows Active Directory is a hierarchical framework of objects. This provides information of the various Active Directory objects, such as resources, services, user accounts, groups, and so on, and sets the access permission and security on these objects. The structure of the Active Directory network components are:

  • Domains: A group of computers that share a common directory database.
  • Domain Trees: One or more domains that share a contiguous namespace.
  • Domain Forests: One or more domain trees that share common directory information.
  • Organization Units: A container or a subgroup of domains that is used to organize the objects within a domain into a logical administrative group.
  • Objects: The objects represent single entities, such as computers, resources, users, applications, and so on, with their attributes.

Active Directory Groups

Groups are the Active Directory objects that can contain the users, computers, and other groups (nested groups). There are two types of groups, namely, Security Groups and Distribution Groups. While a security group is used to group users, computers, and other groups to assign permissions to resources, the distribution group is used only to create e-mail distribution lists.  The scope of the group can be Local, Domain Local, Global, or Universal.

  • Local Groups: Its scope is limited only to the machine on which it exists. It can be used to grant permissions to access the machine resources.
  • Domain Local Groups: It has domain-wide scope, meaning, it can grant resource permissions on any of the windows machines in that domain.
  • Global Groups: It also has domain-wide scope, but, can be granted permissions in any domain.
  • Universal Groups: This group can be granted permissions in any domain. including domains in other forests (based on trust relationship).

Active Directory Users

A user, in order to logon to a computer or a domain, requires a user account in the Active Directory, which establishes an identity for him/her. Based on this identity, the operating system authenticates the user and grants access to the domain resources. There are two pre-defined user accounts, administrator and guest, that are used to logon initially to make the necessary configurations.

Active Directory Computers

Similar to user accounts, the computer accounts are used to provide necessary authorization to the computers for using the network and domain resources.

Managing Security Permissions

The basic security permissions supported by Windows, such as Read, Write, and Full Control, are available to each and every objects on the Active Directory. Apart from these standard permissions, AD also provides some special permissions based on the object class,such as List contents, Delete Tree, List Object, Write Self, Control Access, Create Child, Delete Child, Read Property, Write Property, and so on.

These permissions have to be assigned to the users or groups to restrict or grant access to the Active Directory objects. Each assignment of permissions to users or groups is referred to as Access Control Entry (ACE).

Inherited Permissions

Permissions set on a container (or a parent object) can be applied to its child objects as well. This is referred to as inherited permissions. The Active Directory security model allows you to define explicit permissions or propagate permissions to its child objects. For example, you can specify the following conditions for propagation:

  • This object only
  • This object and all child objects
  • Computer objects
  • Group objects
  • Organizational unit objects
  • User objects

Containers can be any Active Directory components like Domain, Organizational Units, and only objects within those containers can inherit permissions from the parent.

Some commonly used Active Directory terminologies are discussed in the next topic.