Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Active Directory Security

The following components are used to implement Active Directory security:

  • Security Descriptors - Every object has a security descriptor which:
    • Defines the permissions that can be assigned to the object or object type.
    • Contains the object owner security identifier (SID) which identifies the owner (security principle) of the object.
    • Contains any group security identifiers (SID) which is used for compatability with systems not created by Microsoft.
    Access Control Lists that are contained in security descriptors:
    • Discretionary Access Control List (DACL) - Contains security principle SIDS that have permission for an object.
    • Security Access Control List (SACL) - Defines auditable events for specific objects.
  • Security Identifiers (SIDs) - These are always unique numbers within a forest which are used to identify security principle objects. There are two SID types:
    • Owner SID
    • Group SID
    There are two parts of a SID which are:
    • Domain - Identifies the domain the object was created in.
    • Relative Identifier (RID) - Specifies the domain account object the object was created in.
  • Security Principles - Objects that can have permissions assigned to them and each contain security identifiers. The following objects are security principles:
    • User
    • Computer
    • Group

Permission Inheritance

Objects inherit the permissions of the organizational unit that they were created in. Permissions can be applied to container objects such that they apply to:

  • Only the object.
  • The object and all its children.
  • Only the children objects.
  • Only specific child object types such as folders.

If inheritance is blocked from the container object, either previously inherited permissions are copied to the objects in the parent, orpreviously inherited permissions are removed from child objects meaning permissions must be manually set.

If an object is moved to another container object, the permissions directly assigned to that object remain. Any inherited permissions are lost and the object inherits permissions from its new container object unless inheritance is blocked.

SYSVOL Share

In Windows 2000, the SYSVOL share is used to to authenticate users. The SYSVOL share includes group policy information which is replicated to all local domain controllers.

Access Control Lists

Every Active Directory object has an access control list (ACL). ACEs (Access control entries) are entries in an access control list (ACL). Each ACE contain security IDs for users and groups (security principles) along with the associated permissions for that user or group ID.