Active Directory is a directory service used by Microsoft Windows and one of the central components for managing Windows-based networks.
Information about devices, resources and settings is managed in a hierarchical database. With the Active Directory it is possible to carry out changes centrally or to provide information for different applications.
The Lightweight Directory Access Protocol (LDAP) is most commonly used to change or query information from the database.
OU's, objects and forests - when it comes to Active Directory, you will come across many terms whose purpose is not obvious at first glance. In this section we clarify their meaning.
A domain represents an independent security area. Active Directory comprises at least one domain.
Entries in the Active Directory database are referred to as objects and given attributes. Examples of objects are user, group, computer accounts and resources.
In order to summarize or structure objects, you can divide/bundle them into organizational units (OU's) in the Active Directory. OU's can be subdivided into further OU's. This enables the mapping of hierarchical structures.
Group policies are special objects in Active Directory that make it possible to implement specific configurations for users and computers. Examples are the connection to a group drive or the setting of network interfaces.
You can also create subdomains in a domain of the Active Directory. A domain with subdomains forms a "structure", also called a tree. A tree hierarchically consists of at least one domain and has a common naming scheme.
An "overall structure" or "forest" is made up of several "structures"/"trees". However, these each have their own naming scheme.
Active Directory is centrally managed on a domain controller. Basically, you only need a Windows server, where you create a domain with the installation of Active Directory domain services and make this server the domain controller.
However, when promoted to domain controller, the Windows server loses any local users and groups. If you log on to a domain controller, you're actually logging on to the domain. However, other servers still have local users and groups, even if they belong to a domain.
In order to ensure the availability of the domain, it is advisable to use several domain controllers.
Windows supports two types of user accounts: domain accounts and local accounts. Local accounts are stored locally on each computer, domain accounts are stored on the domain controller. Users who have an account in the domain can (in principle) log on to any computer that is in the domain. To do this, select either the local computer or the domain for an interactive login under "Login to".
This is where the availability of the domain controller comes into play. If this is not available, you cannot log on to a computer in the domain. However, there is the option of caching domain credentials on computers to still allow login. In times of Home Office and VPN connection is an essential feature. User accounts in a domain must be created manually by an administrator.
Computer accounts basically consist of the same attributes as user accounts. When a computer joins a domain, a computer account is automatically created in Active Directory. Each computer account has a password to authenticate itself to the domain controller. This Password is created automatically and changed every 30 days.
In order to simplify the administration effort, Active Directory offers the option of combining users into groups. A good example is to map the hierarchical structure of the company using groups and organizational units. All users in the Accounting department are members of the Accounting group. The "Accounting" group is in the organizational unit of the same name. If necessary, you can specifically create a guideline for this organizational unit that only affects this department.
If the accounting department gets a new employee, the administrator creates a new user account and adds this account to the "Accounting" group. It is not necessary to give the new user special permissions. He receives this through the permissions or group policies that are created for the organizational unit. If an employee leaves the company, removing permissions is also easier.
The whole principle of Active Directory can be described with the abbreviation "AGDLP" (Accounts, Global Group, Domain Local Group, Permissives).
If you want to know more:
The link below takes you to the second part Active Directory security management
We use cookies, and Google reCAPTCHA, which loads Google Fonts and communicates with Google servers. By continuing to use our website, you agree to the use of cookies and our privacy policy.
2 answers
I like it *thumbs up*
Thank you very much 🙂