The Windows Active Directory is a hierarchical framework of objects. This provides information of the various Active Directory objects, such as resources, services, user accounts, groups, and so on, and sets the access permission and security on these objects. The structure of the Active Directory network components are:
Managing Security Permissions
The basic security permissions supported by Windows, such as Read, Write, and Full Control, are available to each and every objects on the Active Directory. Apart form these standard permissions, AD also provides some special permissions based on the object class,such as List contents, Delete Tree, List Object, Write Self, Control Access, Create Child, Delete Child, Read Property, Write Property, and so on.
These permissions have to be assigned to the users or groups to restrict or grant access to the Active Directory objects. Each assignment of permissions to users or groups is referred to as Access Control Entry (ACE).
Permissions set on a container (or a parent object) can be applied to its child objects as well. This is referred to as inherited permissions. The Active Directory security model allows you to define explicit permissions or propagate permissions to its child objects. For example, you specify the following conditions for propagation:
Containers can be any Active Directory components like Domain, Organizational Units and only objects within those containers can inherit permissions from the parent.