You are on page 1of 4

7/16/2018 Active Directory Objects

Previous Page | Next Page

Operating Systems
Active Directory Objects

1. Introduction Object Types

2. Windows 2000
There are two types of Active Directory groups, each with
a different purpose. These are:
3. Windows 2000
Server Security principal groups - These objects can be
4. Windows 2000 assigned permissions and consist of:
Advanced users
Server groups
5. Windows 2000 computers
Datacenter Distribution groups - Used to group users for
applications such as mail.
6. Application
Object Characteristics
7. System
Every object has a:
8. Disks and Globally Unique Identifier (GUID) - Uniquely
Volumes identifies each object. Its size is 128 bits.
9. Filesystems Security Identifier (SID) - A SID is created by the
10. Configuration Windows 2000 security subsystem and assigned to
Files security principal objects.
11. Security
12. Network Active Directory Objects
13. Access
Active directory may contain all objects listed here and all
objects listed that are contained by organizational units
14. Processes
15. AD Structure Domain - The core unit in the Active Directory
16. AD Objects structure.
17. AD Object Organizational Unit (automatically published) -
Naming Other organizational units may be contained inside
18. AD Schema organizational units.
19. AD Sites
Leaf objects are objects such as users and computers
20. Domains
which cannot contain other objects.
21. AD Functions
22. AD Replication
23. DNS
Organizational Units
24. AD Security
Organizational Units are called container objects since they help to organize
25. AD Installation the directory and can contain other objects including other OUs. The basic 1/4
7/16/2018 Active Directory Objects

26. AD unit of administration is now organizational units rather than domains.

Configuration Organizational units allow the creation of subdomains which are also called
27. AD logical domains. Microsoft recommends that there should never be more
Performance than 10 levels or organizational unit nesting. Since deeper OU nesting slows
28. Installation
directory access, normally there should be no more than three or four levels
of nesting. Organizational units may contain:?
29. Installation
Options Organizational Unit (automatically published) - Used to create a
30. Unattended heirarchy of AD objects into logical business units. Other organizational
Installation units may be contained inside organizational units.
31. Software User (automatically published) - Individual person
Distribution Group (automatically published) - Groups of user accounts. Groups
32. Remote make user management easier.
Computer (Those in the domain are automatically published) - Specific
Contact (automatically published) - Administrative contact for specific
33. Language active directory objects.
34. Accessibility Connection - A defined one direction replication path between two
35. File Attributes domain controllers making the domain controllers potential replication
36. Shares partners. These objects are maintained on each server in "Active
37. Distributed File Directory Sites and Services".
System Shared folder - Used to share files and they map to server shares.
38. Control Panel Printer (Most are automatically published) - Windows NT shared
39. Active
printers are not published automatically.
Site - A grouping of machines based on a subnet of TCP/IP addresses.
Directory Tools
An administrator determines what a site is. Sites may contain multiple
40. Computer subnets. There can be several domains in a site. For example, an
Management organization may have branches around the city they are located in.
Console Tools Each location may be a site.
41. MMC Tools Site container
42. Network Tools Site link - Defines the connection between sites. Can indicate the cost
43. Network of sending data across a network in terms of available bandwidth. It is
Monitor a list of two or more connected sites. Whether the link will use RPC or
44. System
SMTP for passing data must be determined before creating the link
since it cannot be changed
Site link bridge - Allows one site in a string of sites to replicate
Monitoring through one or two sites to a second or third site. These are only used
45. Tools for fine control of how replication will occur across WAN links.
46. Managing Site settings
Services Subnet - A part of a network based on addresses which is usually
47. Connections connected using routers. Subnets must be created in each site object
48. TCP/IP before it is really active. A network address and subnet mask is used to
49. DHCP define the subnet.
50. Printing
Subnet container
Trusted domain
51. Routing
52. IPSec
Pre-installed Container Objects
53. ICS
54. Fault
Pre-installed container objects provide backward compatibility with Windows
Tolerance NT. They look and act like organizational units and include:
55. Backup
56. System Failure Builtin - Build in local groups.
57. Services Computers - Computer accounts created using Windows NT. It is a list
of workstations 2/4
7/16/2018 Active Directory Objects

58. Remote Computer - Used to manage particular workstations.

Access Domain Controllers - A list of domain controllers.
59. WINS Foreign Security Principles - Shows trust relationships with other
60. IIS domains.
61. Certificate
Users - Windows NT users.
62. Terminal
Object Access
Controlling objects in Active Directory controls access only to objects in
63. Web Services
Active Directory. Objects outside Active Directory may have their own access
64. Authentication control. Permissions on corresponding objects in Active Directory do not
65. Accounts affect permissions on external objects. Therefore, the user must have both
66. Permissions Active Directory and object access.
67. Groups
68. User Rights When setting object permissions, they can be set so the change applies to
and Auditing
all children of the object or only to the object itself. You can also set child
objects to inherit permissions from their parent object. Access to specific
69. Auditing
object properties can be controlled. Object permissions for users and groups
70. User Profiles
71. Policies
72. Group Policies Full Control - Allows full access to the object and its sub objects, with
73. Miscellaneous the ability to take ownership of objects and change permissions of
74. Terms objects and sub objects
75. Credits Read - Allows object contents and properties to be displayed.
Write - Allows object contents and properties to be changed except for
Windows modifying permissions, configuring auditing, or taking ownership.
Operating Systems Create All Child Objects - Allows creation of any child objects.
Delete All Child Objects - Allows deletion of any child objects.

Object access is controlled using the Active Directory Users and Computers
tool by clicking on "View", "Advanced Features", Click + next to the domain,
right click the object, select "Properties", click the "Security" tab, and

Permission Combinations

When user and group permissions that the user is in differ for specific
objects the least restrictive permissions normally apply. The only exception
to this if the user or group is specifically denied one or more specific
permissions to the object. When some permissions are denied, the user will
have the most restricrictive denials of permissions apply. If the full control
permission is denied to a user or group, that user or group will have no
permissions. Explicit permissions set at the child object level override
permission denial at the parent level even if the child is set to inherit
permissions from the parent.

Object Ownership
Ownership can be taken if a user has the take ownership right to the object
or if the user is part of the Domain Admins group. Object access is controlled
using the Active Directory Users and Computers tool by clisking on "View",
"Advanced Features", Click + next to the domain, right click the object, select
"Properties", click the "Security" tab, click "Advanced", and continue. 3/4
7/16/2018 Active Directory Objects

Active Directory Object Administration Delegation

Management of objects listed in Active Directory can be delegated to other

administrators. Administrative authority cannot be delegated for objects
smaller than the Organizational Unit (OU). There are two ways to
delegate object control:

Find the object in the Active Directory Users and Computers tool, right
click on the object, and select "Delegate Control". The Delegation of
Control Wizard will start.
Perform the same action as is done when configuring permissions by
using the "View" menu in the Active Directory Users and Computers
tool, and click on "Advanced Features".

Object Identifiers

Object identifiers are strings in a dot notation similar to IP addresses. There

are authorities that issue object identifiers. Each of these authorities can give
an object identifier on a sublevel to other authorities. The International
Standards Organization (ISO) is the root authority. The ISO has a number
of 1. When it assigns a number to another organization, that number is used
to identify that organization. If it assigned CTDP the number 469034, and
CTDP issued 1 to Mark Allen, and Mark Allen assigned 10 to an application,
the number of the application would be "1.469034.1.10".

Object Attribute Syntax

Attribute syntax defines the type of data the attribute contains. The following
are attribute syntaxes defined by the oMSyntax numbers through

Undefined - illegal
Object (DN-DN)
String (Object ID)
Case sensitive string
String not sensitive to case
Printable string
Numeric string
Binary object
Octet string
Time string
Unicode string
Presentation address
DN string object
NT-sec-desc - Windows NT security descriptor
Large integer
Security ID - Windows NT security ID 4/4