Active Directory Overview
The Windows Active Directory is a hierarchical framework of objects. This provides information of the various Active Directory objects, such as resources, services, user accounts, groups, and so on, and sets the access permission and security on these objects. The structure of the Active Directory network components are:
- Domains: A group of computers that share a common directory database.
- Domain Trees: One or more domains that share a contiguous namespace.
- Domain Forests: One or more domain trees that share common directory information.
- Site: A grouping of machines based on a subnet of TCP/IP addresses. An administrator determines what a site is. Sites may contain multiple subnets. There can be several domains in a site. For example, an organization may have branches around the city they are located in. Each location may be a site.
- Schema: defines as the formal definition of all object classes and the attributes that make up those object classes that can be stored in the directory.
- Organization Units: A container or a subgroup of domains that is used to organize the objects within a domain into a logical administrative group.
- Objects: The objects represent single entities, such as computers, resources, users, applications, and so on, with their attributes.
Active Directory Groups
Groups are the Active Directory objects that can contain the users, computers, and other groups (nested groups). There are two types of groups, namely, Security Groups and Distribution Groups. While a security group is used to group users, computers, and other groups to assign permissions to resources, the distribution group is used only to create e-mail distribution lists. The scope of the group can be Local, Domain Local, Global, or Universal.
- Local Groups: Its scope is limited only to the machine on which it exists. It can be used to grant permissions to access the machine resources.
- Domain Local Groups: It has domain-wide scope, meaning, it can grant resource permissions on any of the windows machines in that domain.
- Global Groups: It also has domain-wide scope, but, can be granted permissions in any domain.
- Universal Groups: This group can be granted permissions in any domain. including domains in other forests (based on trust relationship).
Active Directory Users
A User, in order to logon to a computer or a domain, requires a user account in the Active Directory, which establishes an identity for him/her. Based on this identity, the operating system authenticates the user and grant access to the domain resources. There are two pre-defined user accounts, administrator and guest, that are used to logon initially to make the necessary configurations.
Active Directory Computers
Similar to user accounts, the computer accounts are used to provide necessary authorization to the computers for using the network and domain resources.
Managing Security Permissions
The basic security permissions supported by Windows, such as Read, Write, and Full Control, are available to each and every objects on the Active Directory. Apart from these standard permissions, AD also provides some special permissions based on the object class, such as List contents, Delete Tree, List Object, Write Self, Control Access, Create Child, Delete Child, Read Property, Write Property, and so on.