Active Directory simply explained

Table of Contents

Active Directory is a Microsoft Windows directory service

Active Directory is a directory service used by Microsoft Windows and one of the central components for managing Windows-based networks.

Information about devices, resources and settings is managed in a hierarchical database. With the Active Directory it is possible to carry out changes centrally or to provide information for different applications.

The Lightweight Directory Access Protocol (LDAP) is most commonly used to change or query information from the database.

How is Active Directory structured?

OU's, objects and forests - when it comes to Active Directory, you will come across many terms whose purpose is not obvious at first glance. In this section we clarify their meaning.

The domain

A domain represents an independent security area. Active Directory comprises at least one domain.


Entries in the Active Directory database are referred to as objects and given attributes. Examples of objects are user, group, computer accounts and resources.

organizational units

In order to summarize or structure objects, you can divide/bundle them into organizational units (OU's) in the Active Directory. OU's can be subdivided into further OU's. This enables the mapping of hierarchical structures.

group Policy

Group policies are special objects in Active Directory that make it possible to implement specific configurations for users and computers. Examples are the connection to a group drive or the setting of network interfaces.

the tree

You can also create subdomains in a domain of the Active Directory. A domain with subdomains forms a "structure", also called a tree. A tree hierarchically consists of at least one domain and has a common naming scheme.

The Forest

An "overall structure" or "forest" is made up of several "structures"/"trees". However, these each have their own naming scheme.

domain controller

Active Directory is centrally managed on a domain controller. Basically, you only need a Windows server, where you create a domain with the installation of Active Directory domain services and make this server the domain controller.


However, when promoted to domain controller, the Windows server loses any local users and groups. If you log on to a domain controller, you're actually logging on to the domain. However, other servers still have local users and groups, even if they belong to a domain.


In order to ensure the availability of the domain, it is advisable to use several domain controllers.

Are your Active Directory settings secure?
We will find out for you and guide you through the optimization of your IT security.
For IT security advice

users and computers

Windows supports two types of user accounts: domain accounts and local accounts. Local accounts are stored locally on each computer, domain accounts are stored on the domain controller. Users who have an account in the domain can (in principle) log on to any computer that is in the domain. To do this, select either the local computer or the domain for an interactive login under "Login to".

This is where the availability of the domain controller comes into play. If this is not available, you cannot log on to a computer in the domain. However, there is the option of caching domain credentials on computers to still allow login. In times of Home Office and VPN connection is an essential feature. User accounts in a domain must be created manually by an administrator.

Computer accounts basically consist of the same attributes as user accounts. When a computer joins a domain, a computer account is automatically created in Active Directory. Each computer account has a password to authenticate itself to the domain controller. This Password is created automatically and changed every 30 days.

Groups, organizational units and policies

In order to simplify the administration effort, Active Directory offers the option of combining users into groups. A good example is to map the hierarchical structure of the company using groups and organizational units. All users in the Accounting department are members of the Accounting group. The "Accounting" group is in the organizational unit of the same name. If necessary, you can specifically create a guideline for this organizational unit that only affects this department.

If the accounting department gets a new employee, the administrator creates a new user account and adds this account to the "Accounting" group. It is not necessary to give the new user special permissions. He receives this through the permissions or group policies that are created for the organizational unit. If an employee leaves the company, removing permissions is also easier.

The whole principle of Active Directory can be described with the abbreviation "AGDLP" (Accounts, Global Group, Domain Local Group, Permissives).

If you want to know more:
The link below takes you to the second part Active Directory security management 

Would you like to find out more from IT security professionals?
Just give us a call or use our contact form!
Contact us now
Follow for more!
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!

Table of Contents

2 answers

Do you have any questions or additions? bring it on!
Write a comment and we will reply as soon as possible!

Your email address will not be published. Required fields are marked with *.

NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!