Active Directory

Travis FavorsRyan ManuelRobert Rayer

Active Directory

Contains information of all objects in an organization’s network.

Arranges Objects into logical, hierarchical groups.

Provides permissions based on stored information.

Authentication

Attributes

Characteristics and Information that belong to an object

Can be required or optional

Objects

Entities of the network

Composed of attributes

Example Objects: User, Printer, Shared Folder

Object Classes

Contains a list of associated attributes

Blueprint for object creation

Schema

Master List of all object classes

Defines all objects and attributes available for an object

Identifies the relationships between all objects

SchemaSchema

User

name

department

Printer

name

location

Shared Folder

name

description

Object ClassesAttributes

Access Control

Used to manage user access to shared resources

Administered at object level by setting permissions

Examples: Full control, write, read and no access

Permissions are set to shared objects

Shared objects are objects that is intended to be used over a network by more than one user

Three elements define access control permissions

Security Descriptors

Permissions are stored in security descriptors

Security Descriptors contain two access control lists

Discretionary Access Control List (DACL)

System Access Control List (SACL)

User Authentication

User’s Access Token

Subject

User SID

Group SIDs

List of Privileges

Other Access Information

Object’s Security Descriptor

Object

Object Owner SID

Group SID

ACEACEACE

SACL

ACEACEACE

DACL

Active Directory also authenticates and authorizes users, groups, and computers to access objects on the network

The Local Security Authority (LSA) is responsible for all user authentication

LSA generates two pieces of information after a user’s identity is confirmed

Object Inheritance

OU

OU

OU

Parent Object

Child Object

Child Object

Objects inherit permissions from their parent container when they’re created

Object inheritance can be turned off

Workgroups

All Computers are peers. There is no host.

User accounts aren’t shared.

No more than 20 computers at once.

Not protected by authentication

All computers must be on the same local network/subnet.

Domains

Servers as hosts/admins

Easy to apply sweeping policy changes

Users must provide authentication to access

User accounts can access any computer on the domain

Enforce consistency

Borderline limitless capacity

Distributed across multiple networks

Organizational Units

Organize and segregate groups of a domain

Smallest unit where group policy can be enforced

Useful for representing the logical hierarchy of an organization

Can be nested

Reduces need for multiple domains to some degree

Allows for granular delegation of administrative authority

Trees

Domain trees are collections of domains with a hierarchal structure.

Domains controlled by other domains are child domains, and the controlling domain is the parent domain.

Forests

Complete instance of Active Directory

Contains all Domain Trees, including their domains and organizational units

The first, highest-level domain in a Forest is called the Forest Root Domain

Trust Relationships

Extend security across multiple domains

Allow access to data and storage locations on other domains

“Transitive” trust relationships extend trust from the trusted domain to all of that domain’s trusted domains, whereas “Nontransitive” do not.