Active Directory overview

Active Directory (AD) is a hierarchical system that provides a database and services to connect users with the necessary network resources for their work. It runs on Active Directory Domain Services, which provides the methods to store the data in the database. The database, or directory, stores vital information about an environment, such as the users and computers present and their permissions. The structure of the AD network components is as follows:

• Domains: A logical group of objects that share common administration, security, and replication settings. (or) A collection of computers and resources that are managed as a unit under a common set of rules.
• Domain trees: One or more domains that share a contiguous namespace.
• Domain forests: One or more domain trees that share common directory information.
• Organizational units: A container or a subgroup of domains that is used to organize the objects within a domain into a logical administrative group.
• Objects: Single entities, such as computers, resources, users, or applications, and their attributes.

AD groups

Groups are AD objects that can contain users, computers, and other groups (nested groups). There are two types of groups: security groups and distribution groups. While a security group is used to group users, computers, and other groups to assign permissions to resources, a distribution group is used only to create email distribution lists. The scope of the group can be local, domain local, global, or universal.

• Local group: Its scope is limited only to the machine on which it exists. It can be used to grant permissions to access machine resources.
• Domain local group: It has domain-wide scope, meaning it can grant resource permissions on any of the Windows machines in that domain.
• Global group: It also has domain-wide scope, but it can be granted permissions in any domain.
• Universal group: This group can be granted permissions in any domain, including domains in other forests (based on trust relationship).

AD users

A user, in order to log in to a computer or a domain, requires a user account in AD, which establishes an identity for them. Based on this identity, the Windows operating system authenticates the user and grants access to the domain resources. There are two predefined user accounts, administrator and guest, that are used to log in initially to make the necessary configurations.

AD computers

Similar to user accounts, computer accounts are used to provide necessary authorization to computers for using the network and domain resources. Computer accounts known as local system accounts are highly privileged with access to all resources on the local computer.

Managing security permissions

The basic security permissions supported by Windows, such as Read, Write, and Full Control, are available to every object within AD. Apart from these standard permissions, AD also provides some special permissions based on the object class, such as List contents, Delete Tree, List Object, Write Self, Control Access, Create Child, Delete Child, Read Property, and Write Property.

These permissions have to be assigned to users or groups to restrict or grant access to AD objects. Assigning permissions to users or groups is referred to as an access control entry.

Inherited permissions

Permissions set on a container (or a parent object) can be applied to its child objects as well. This is referred to as inherited permissions. The AD security model allows you to define explicit permissions or propagate permissions to child objects. For example, you can specify the following conditions for propagation:

• This object only
• This object and all child objects
• Computer objects
• Group objects
• Organizational unit objects
• User objects

Containers can be any AD components, like a domain or organizational unit, and only objects within those containers can inherit permissions from the parent.

Some commonly used Active Directory terminologies are discussed in the next topic.