What I need to know about Active Directory (AD)

What is Active Directory?

Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization’s security.

Active Directory is subdivided into one or more domains. A domain is a security boundary. Each domain is hosted by a server computer called a domain controller (DC). A domain controller manages all of the user accounts and passwords for a domain.

Domains and the Domain Name System (DNS)

Domains are named using the Domain Name System (DNS). If your company is called ACME Corporation your DNS name would be (for example) acme.com. This is the top-level domain name for your company. The security domain in Active Directory maps directly to the DNS domain name.

For larger organizations you can subdivide Active Directory into child domains (based on on geography for example). If ACME Corporation has three divisions named West, Central, and East, the sub-domains can have the DNS names west.acme.com, central.acme.com, and east.acme.com.

Each domain requires a server computer. In the above scenario you would need at least four servers to host Active Directory as follows:

  •     acme.com
  •     west.acme.com
  •     central.acme.com
  •     east.acme.com

Active Directory, also referred as an AD, originally created in the year 1996, it was first used with Windows 2000 Server as a directory service for Windows domain networks. Active Directory is a special purpose database, which serves as a central location for authenticating and authorizing all the users and computers within a network. Active Directory uses the Lightweight Directory Access Protocol (LDAP), an application protocol used for accessing and maintaining directory information services distributed over an IP network.

The basic internal structure of the Active Directory consists of a hierarchical arrangement of Objects which can be categorized broadly into resources and security principles. Some of the examples of Active Directory objects are users, computers, groups, sites, services, printers, etc. Every Object is considered as a single entity with some specific set of attributes. The attributes of Objects along with the kind of objects that can be stored in the AD are defined by a Schema.

The intrinsic framework of Active Directory is divided into a number of levels on the basis of visibility of objects. An AD network can be organized in four types of container structure namely, Forest, Domains, Organizational Units and Sites.

  •     Forests: It is a collection of AD objects, their attributes and set of attribute syntax.
  •     Domain: Domain is a collection of computers objects in the AD which share a common set of policies, a name and a database of their members.
  •     Organizational Units: OUs are containers in which domains are grouped. They are used to create a hierarchy for the domain to resemble the structure of the Active Directory’s company in organizational terms.
  •     Sites: Sites are independent of domains and OU structure and are considered as physical groups defined by one of more IP subnets. They are used to distinguish between locations connected by low- and high-speed connections.

Active Directory Domain Services

Active Directory Domain Services (AD DS), formerly known as Active Directory Domain Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

Active Directory Rights Management Services

Your organization’s intellectual property should  be safe and highly secure. Active Directory Rights Management Services (AD RMS), a component of Windows Server 2008 R2, is available to help make sure that only those individuals who need to view a file can do so. AD RMS can protect a file by identifying the rights that a user has to the file. Rights can be configured to allow a user to open, modify, print, forward, or take other actions with the rights-managed information. With AD RMS, you can now safeguard data when it is distributed outside of your network.

Active Directory Federation Services

Active Directory Federation Services is a highly secure, highly extensible, and Internet-scalable identity access solution that allows organizations to authenticate users from partner organizations. Using AD FS in Windows Server 2008 R2, you can simply and very securely grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization.

Active Directory Certificate Services

Most organizations use certificates to prove the identity of users or computers, as well as to encrypt data during transmission across unsecured network connections. Active Directory Certificate Services (AD CS) enhances security by binding the identity of a person, device, or service to their own private key. Storing the certificate and private key within Active Directory helps securely protect the identity, and Active Directory becomes the centralized location for retrieving the appropriate information when an application places a request.

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode, can be used to provide directory services for directory-enabled applications. Rather than using your organization’s AD DS database to store the directory-enabled application data, AD LDS can be used to store in its place. Two components work in conjunction to provide you a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). You can also reduce the overhead associated with Active Directory replication, without extending the Active Directory schema to support the application, and you can partition the directory structure so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application.

The advantages of Active Directory for managing user accounts:

1. It will provide fully integrated security in the form of user logon’s and authentication.
2. It makes easy in administration in the form of group policies and permissions.
3. It makes easy to identify the resources.
4. It will provide scalability, flexibility and extentiability.
5. It is tightly integrated with DNS services for all its operations, which will provide better in identifications and migrations.
6. It services will provide Automatic replication of information between the domain controllers.
7. It supports integration of the other directory services also.
8. It supports multiple authentication protocols.

Users container within Active Directory

Figure 1. Users container within Active Directory

Builtin container within Active Directory

Figure 2. Builtin container within Active Directory

There are plenty of built-in groups to choose from. There are some groups which are used for administration of Active Directory, services, and other important directory service features. These groups are located in the Users container, as shown in Figure 1. These groups include:

  •     Cert Publishers
  •     DNSAdmins
  •     Domain Admins
  •     DHCP Admins
  •     Enterprise Admins
  •     Group Policy Creator Owners
  •     Schema Admins

These groups are essential for Active Directory and should be used to provide administrative control over these areas. It is not really possible to use Delegation to replace the functions that these groups provide.

Another category of built-in groups fall under a different place in the Active Directory. They are located in the Builtin container, as shown in Figure 2. These groups include:

  •     Administrators
  •     Account Operators
  •     Backup Operators
  •     Server Operators
  •     Print Operators

The built-in groups have a very distinct scope. They are designed to be used on the domain controllers and the domain controllers only. We know this because all of these groups are Domain Local (Local in Windows NT). This means that they are to be used to provide privileges to administrators that need to perform tasks on the domain controllers.

Another way to confirm this is that each local Security Accounts Manager (SAM) on the clients and servers have their own local built-in groups to perform these duties. The Administrators and Backup Operators groups are in every SAM. The other groups are not needed on the local SAM, because the Administrators group or Power Users group provides the privilege to accomplish the associated tasks on a client or server.

It is important to not only know the scope of these built-in groups, but also the capabilities of these groups. Table 1 lists what each group can do.

 

Administrators

Account Operators

Backup Operators

Print Operators

Server Operators

Create, delete, and manage user and group accounts

X

X

Read all user information

X

X

X

Reset password for user accounts

X

X

Share directories

X

X

Create, delete, and manage printers

X

X

X

Backup files and directories

X

X

X

Restore files and directories

X

X

X

Log on locally

X

X

X

X

X

Shut down the system

X

X

X

X

X

Table 1: Privileges of built-in groups in Active Directory

As you scan through the capabilities that the members of the built-in groups have, keep in mind that these capabilities have the scope of all domain controllers in the domain, as well as all objects within the domain. Therefore, if you add a user to one of these groups, you can’t scale down their scope of influence.

For example, it is common to want to have a junior administrator or the helpdesk staff to reset passwords for users in the domain. With the built-in groups, you would simply add them to the Account Operators group to accomplish this. However, take a look at the other privileges that this membership provides them. They can also perform all of the following tasks:

  •     Create, delete, and manage user accounts
  •     Create, delete, and manage group accounts
  •     Log on locally
  •     Shut down the system

As you can see, these additional privileges vastly expand the scope of influence compared to the original desire to just have the administrators reset passwords.

Another key point about our example is to consider which user accounts they would be able to reset the password for. If you give a user membership in the Account Operators group, they will be able to reset the password for the following users:

  •     Administrator account
  •     All IT staff
  •     Executives
  •     HR personnel

source: microsoft & windowsecurity

About iamsolusi

just ordinary people

Posted on March 14, 2012, in System Networking and tagged , , . Bookmark the permalink. Leave a comment.

Comments are closed.

%d bloggers like this: