Active Directory Objects
There are two types of Active Directory groups, each with a different purpose. These are:
- Security principal groups - These objects can be assigned permissions and consist of:
- Distribution groups - Used to group users for applications such as mail.
Every object has a:
- Globally Unique Identifier (GUID) - Uniquely identifies each object. Its size is 128 bits.
- Security Identifier (SID) - A SID is created by the Windows 2000 security subsystem and assigned to security principal objects.
Active Directory Objects
Active directory may contain all objects listed here and all objects listed that are contained by organizational units (OU).
- Domain - The core unit in the Active Directory structure.
- Organizational Unit (automatically published) - Other organizational units may be contained inside organizational units.
Leaf objects are objects such as users and computers which cannot contain other objects.
Organizational Units are called container objects since they help to organize the directory and can contain other objects including other OUs. The basic unit of administration is now organizational units rather than domains. Organizational units allow the creation of subdomains which are also called logical domains. Microsoft recommends that there should never be more than 10 levels or organizational unit nesting. Since deeper OU nesting slows directory access, normally there should be no more than three or four levels of nesting. Organizational units may contain:?
- Organizational Unit (automatically published) - Used to create a heirarchy of AD objects into logical business units. Other organizational units may be contained inside organizational units.
- User (automatically published) - Individual person
- Group (automatically published) - Groups of user accounts. Groups make user management easier.
- Computer (Those in the domain are automatically published) - Specific workstations.
- Contact (automatically published) - Administrative contact for specific active directory objects.
- Connection - A defined one direction replication path between two domain controllers making the domain controllers potential replication partners. These objects are maintained on each server in "Active Directory Sites and Services".
- Shared folder - Used to share files and they map to server shares.
- Printer (Most are automatically published) - Windows NT shared printers are not published automatically.
- Site - A grouping of machines based on a subnet of TCP/IP addresses. An administrator determines what a site is. Sites may contain multiple subnets. There can be several domains in a site. For example, an organization may have branches around the city they are located in. Each location may be a site.
- Site container
- Site link - Defines the connection between sites. Can indicate the cost of sending data across a network in terms of available bandwidth. It is a list of two or more connected sites. Whether the link will use RPC or SMTP for passing data must be determined before creating the link since it cannot be changed
- Site link bridge - Allows one site in a string of sites to replicate through one or two sites to a second or third site. These are only used for fine control of how replication will occur across WAN links.
- Site settings
- Subnet - A part of a network based on addresses which is usually connected using routers. Subnets must be created in each site object before it is really active. A network address and subnet mask is used to define the subnet.
- Subnet container
- Trusted domain
Pre-installed Container Objects
Pre-installed container objects provide backward compatibility with Windows NT. They look and act like organizational units and include:
- Builtin - Build in local groups.
- Computers - Computer accounts created using Windows NT. It is a list of workstations
- Computer - Used to manage particular workstations.
- Domain Controllers - A list of domain controllers.
- Foreign Security Principles - Shows trust relationships with other domains.
- Users - Windows NT users.
Controlling objects in Active Directory controls access only to objects in Active Directory. Objects outside Active Directory may have their own access control. Permissions on corresponding objects in Active Directory do not affect permissions on external objects. Therefore, the user must have both Active Directory and object access.
When setting object permissions, they can be set so the change applies to all children of the object or only to the object itself. You can also set child objects to inherit permissions from their parent object. Access to specific object properties can be controlled. Object permissions for users and groups include:
- Full Control - Allows full access to the object and its sub objects, with the ability to take ownership of objects and change permissions of objects and sub objects
- Read - Allows object contents and properties to be displayed.
- Write - Allows object contents and properties to be changed except for modifying permissions, configuring auditing, or taking ownership.
- Create All Child Objects - Allows creation of any child objects.
- Delete All Child Objects - Allows deletion of any child objects.
Object access is controlled using the Active Directory Users and Computers tool by clicking on "View", "Advanced Features", Click + next to the domain, right click the object, select "Properties", click the "Security" tab, and continue.
When user and group permissions that the user is in differ for specific objects the least restrictive permissions normally apply. The only exception to this if the user or group is specifically denied one or more specific permissions to the object. When some permissions are denied, the user will have the most restricrictive denials of permissions apply. If the full control permission is denied to a user or group, that user or group will have no permissions. Explicit permissions set at the child object level override permission denial at the parent level even if the child is set to inherit permissions from the parent.
Ownership can be taken if a user has the take ownership right to the object or if the user is part of the Domain Admins group. Object access is controlled using the Active Directory Users and Computers tool by clisking on "View", "Advanced Features", Click + next to the domain, right click the object, select "Properties", click the "Security" tab, click "Advanced", and continue.
Active Directory Object Administration Delegation
Management of objects listed in Active Directory can be delegated to other administrators. Administrative authority cannot be delegated for objects smaller than the Organizational Unit (OU). There are two ways to delegate object control:
- Find the object in the Active Directory Users and Computers tool, right click on the object, and select "Delegate Control". The Delegation of Control Wizard will start.
- Perform the same action as is done when configuring permissions by using the "View" menu in the Active Directory Users and Computers tool, and click on "Advanced Features".
Object identifiers are strings in a dot notation similar to IP addresses. There are authorities that issue object identifiers. Each of these authorities can give an object identifier on a sublevel to other authorities. The International Standards Organization (ISO) is the root authority. The ISO has a number of 1. When it assigns a number to another organization, that number is used to identify that organization. If it assigned CTDP the number 469034, and CTDP issued 1 to Mark Allen, and Mark Allen assigned 10 to an application, the number of the application would be "1.469034.1.10".
Object Attribute Syntax
Attribute syntax defines the type of data the attribute contains. The following are attribute syntaxes defined by the oMSyntax numbers 220.127.116.11 through 18.104.22.168
- Undefined - illegal
- Object (DN-DN)
- String (Object ID)
- Case sensitive string
- String not sensitive to case
- Printable string
- Numeric string
- Binary object
- Octet string
- Time string
- Unicode string
- Presentation address
- DN string object
- NT-sec-desc - Windows NT security descriptor
- Large integer
- Security ID - Windows NT security ID