Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Active Directory Objects

Object Types

There are two types of Active Directory groups, each with a different purpose. These are:

  • Security principal groups - These objects can be assigned permissions and consist of:
    • users
    • groups
    • computers
  • Distribution groups - Used to group users for applications such as mail.

Object Characteristics

Every object has a:

  • Globally Unique Identifier (GUID) - Uniquely identifies each object. Its size is 128 bits.
  • Security Identifier (SID) - A SID is created by the Windows 2000 security subsystem and assigned to security principal objects.

Active Directory Objects

Active directory may contain all objects listed here and all objects listed that are contained by organizational units (OU).

  • Domain - The core unit in the Active Directory structure.
  • Organizational Unit (automatically published) - Other organizational units may be contained inside organizational units.

Leaf objects are objects such as users and computers which cannot contain other objects.


Organizational Units

Organizational Units are called container objects since they help to organize the directory and can contain other objects including other OUs. The basic unit of administration is now organizational units rather than domains. Organizational units allow the creation of subdomains which are also called logical domains. Microsoft recommends that there should never be more than 10 levels or organizational unit nesting. Since deeper OU nesting slows directory access, normally there should be no more than three or four levels of nesting. Organizational units may contain:?

  • Organizational Unit (automatically published) - Used to create a heirarchy of AD objects into logical business units. Other organizational units may be contained inside organizational units.
  • User (automatically published) - Individual person
  • Group (automatically published) - Groups of user accounts. Groups make user management easier.
  • Computer (Those in the domain are automatically published) - Specific workstations.
  • Contact (automatically published) - Administrative contact for specific active directory objects.
  • Connection - A defined one direction replication path between two domain controllers making the domain controllers potential replication partners. These objects are maintained on each server in "Active Directory Sites and Services".
  • Shared folder - Used to share files and they map to server shares.
  • Printer (Most are automatically published) - Windows NT shared printers are not published automatically.
  • Site - A grouping of machines based on a subnet of TCP/IP addresses. An administrator determines what a site is. Sites may contain multiple subnets. There can be several domains in a site. For example, an organization may have branches around the city they are located in. Each location may be a site.
  • Site container
  • Site link - Defines the connection between sites. Can indicate the cost of sending data across a network in terms of available bandwidth. It is a list of two or more connected sites. Whether the link will use RPC or SMTP for passing data must be determined before creating the link since it cannot be changed
  • Site link bridge - Allows one site in a string of sites to replicate through one or two sites to a second or third site. These are only used for fine control of how replication will occur across WAN links.
  • Site settings
  • Subnet - A part of a network based on addresses which is usually connected using routers. Subnets must be created in each site object before it is really active. A network address and subnet mask is used to define the subnet.
  • Subnet container
  • Trusted domain

Pre-installed Container Objects

Pre-installed container objects provide backward compatibility with Windows NT. They look and act like organizational units and include:

  • Builtin - Build in local groups.
  • Computers - Computer accounts created using Windows NT. It is a list of workstations
  • Computer - Used to manage particular workstations.
  • Domain Controllers - A list of domain controllers.
  • Foreign Security Principles - Shows trust relationships with other domains.
  • Users - Windows NT users.

Object Access

Controlling objects in Active Directory controls access only to objects in Active Directory. Objects outside Active Directory may have their own access control. Permissions on corresponding objects in Active Directory do not affect permissions on external objects. Therefore, the user must have both Active Directory and object access.

When setting object permissions, they can be set so the change applies to all children of the object or only to the object itself. You can also set child objects to inherit permissions from their parent object. Access to specific object properties can be controlled. Object permissions for users and groups include:

  • Full Control - Allows full access to the object and its sub objects, with the ability to take ownership of objects and change permissions of objects and sub objects
  • Read - Allows object contents and properties to be displayed.
  • Write - Allows object contents and properties to be changed except for modifying permissions, configuring auditing, or taking ownership.
  • Create All Child Objects - Allows creation of any child objects.
  • Delete All Child Objects - Allows deletion of any child objects.

Object access is controlled using the Active Directory Users and Computers tool by clicking on "View", "Advanced Features", Click + next to the domain, right click the object, select "Properties", click the "Security" tab, and continue.

Permission Combinations

When user and group permissions that the user is in differ for specific objects the least restrictive permissions normally apply. The only exception to this if the user or group is specifically denied one or more specific permissions to the object. When some permissions are denied, the user will have the most restricrictive denials of permissions apply. If the full control permission is denied to a user or group, that user or group will have no permissions. Explicit permissions set at the child object level override permission denial at the parent level even if the child is set to inherit permissions from the parent.

Object Ownership

Ownership can be taken if a user has the take ownership right to the object or if the user is part of the Domain Admins group. Object access is controlled using the Active Directory Users and Computers tool by clisking on "View", "Advanced Features", Click + next to the domain, right click the object, select "Properties", click the "Security" tab, click "Advanced", and continue.

Active Directory Object Administration Delegation

Management of objects listed in Active Directory can be delegated to other administrators. Administrative authority cannot be delegated for objects smaller than the Organizational Unit (OU). There are two ways to delegate object control:

  • Find the object in the Active Directory Users and Computers tool, right click on the object, and select "Delegate Control". The Delegation of Control Wizard will start.
  • Perform the same action as is done when configuring permissions by using the "View" menu in the Active Directory Users and Computers tool, and click on "Advanced Features".

Object Identifiers

Object identifiers are strings in a dot notation similar to IP addresses. There are authorities that issue object identifiers. Each of these authorities can give an object identifier on a sublevel to other authorities. The International Standards Organization (ISO) is the root authority. The ISO has a number of 1. When it assigns a number to another organization, that number is used to identify that organization. If it assigned CTDP the number 469034, and CTDP issued 1 to Mark Allen, and Mark Allen assigned 10 to an application, the number of the application would be "1.469034.1.10".

Object Attribute Syntax

Attribute syntax defines the type of data the attribute contains. The following are attribute syntaxes defined by the oMSyntax numbers 2.2.2.0 through 2.5.5.17

  • Undefined - illegal
  • Object (DN-DN)
  • String (Object ID)
  • Case sensitive string
  • String not sensitive to case
  • Printable string
  • Numeric string
  • Binary object
  • Boolean
  • Integer
  • Octet string
  • Time string
  • Unicode string
  • Presentation address
  • DN string object
  • NT-sec-desc - Windows NT security descriptor
  • Large integer
  • Security ID - Windows NT security ID