NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Active Directory Objects List

What are objects in Active Directory?

Objects in Active Directory (AD) are entities that represent resources that are present in the AD network. These resources can be users, computers, printers, contact persons who may be vendors for the organization, and more. AD objects are characterized by a set of information. Each piece of information is called an AD object attribute. For example, a user object in AD contains attributes such as the first name, middle name, the manager they report to, and more. The attributes that an AD object contains are defined by the AD schema. The schema contains object classes, which define the types of AD objects, and what mandatory attributes they should have. You can learn more about AD object classes here.

Types of AD objects

There are two types of objects present in an AD network:

  • Container objects
  • Leaf objects

Container objects:

Container objects are AD objects that can contain other AD objects within them. Organizational units (OU) and groups are classified as container objects.

Leaf objects:

Leaf objects are AD objects that can not contain other objects within them. Computers, users, and printers are all examples of leaf objects.

AD objects list:

A common question that is asked is, “How many objects are there in Active Directory?” This is an ambiguous question as there could be two possible meanings:

How many types of objects are there in Active Directory?

How many AD objects can be there in an AD network?

So, the right question would be: How many types of objects in AD are there?

The answer to that question is that there are 12 types of objects in Active Directory. Here is a complete list of AD objects, and the characteristics of those AD objects.

List of AD objects:

Following is a list of objects in Active Directory

  • User object
  • Contact object
  • Printer object
  • Computer object
  • Shared folder
  • Group
  • Organizational Unit
  • Domain
  • Domain controller
  • Site objects
  • Bulletin
  • Foreign security principals

User object

A user object in AD represents a real user who is part of an organization’s AD network.  It is a leaf object, which means it can’t contain other AD objects within itself. The user may be an employee of the organization such as a manager, HR person, or an IT administrator who generally has elevated permissions over other users. A user object is a security principal, which means that it would have a security identifier (SID) apart from a global unique identifier (GUID). A user object in AD has attributes that contain information such as canonical names. first name, middle name, last name, login credentials telephone number, the manager who he or she reports to, address, who their subordinates are, and more.

Contact object

A contact object in AD represents a real contact person who is not a part of the organization but is associated with it. For example, an organization’s supplier or vendor is not a part of the organization but is still a contact person. It is a leaf object, which means it can’t contain other AD objects within itself. A contact object in AD is not a security principal, and so it only has a GUID. A contact object in AD has attributes that contain information such as their name, email address telephone number, and more. These contact objects would usually not require access to the Ad network. They are just a type of AD object that is used to reference the contact person’s information, as a contact card.

Printer object

A printer object in AD is a pointer that points towards a real printer in the AD network.  It is a leaf object, which means it can’t contain other AD objects within itself.A printer object is not a security principal, and so it only has a GUID. A printer object in AD has attributes that contain information like the printer’s name, driver name, color mode, port number, and more.

Computer object

A computer object in AD represents a computer that is part of an organization’s AD network. The user may belong to any of the employees in the organization. It is a leaf object, which means it can’t contain other AD objects within itself. A computer object in AD is also a security principal, similar to the user object. So, computers also have SIDs apart from GUIDs. A computer object in AD has attributes that contain information such as computer name, computer name (pre-Windows 2000), its unique ID, DNS name, role, description, location, who the computer is managed by, the operating system version it is running on, and more.

Shared folder

A shared folder object in AD is a pointer that points towards the shared folder on the computer the folder is stored. A shared folder is a folder that is shared between members of the AD network, and only those members can view the contents of the folder, while other members will be denied access. It is a leaf object, which means it can’t contain other AD objects within itself. A shared folder object in AD is not a security principal, and so it only has a GUID. A shared folder object in AD has attributes that contain information such as the folder’s name, location, access privileges, and more.

Group

A group object in AD is an object that can contain other AD objects such as other groups, users, and computers, Hence, a group object is a container object. A group object in AD is a security principal too, similar to the user and computer objects. So, group objects also have SIDs apart from GUIDs. A group object is used to share permissions to member AD objects within the group. A group object in AD has attributes that contain information such as the group name, member objects in the group, and more.

Organizational Unit

An organizational unit (OU) in AD is an object that can contain other AD objects such as other groups, users, and computers, Hence, an OU is also a container object like groups. An OU in AD is a security principal too, similar to a user, computer, and group objects. So, OUs also have SIDs apart from GUIDs. An OU is used to delegate roles to member AD objects within the group. An OU in AD has attributes that contain information such as its name, member objects in the OU, and more.

Domain

A domain in AD is a structural component of the AD network. Domains contain AD objects such as users, printers, computers, and contacts, which may be organized into OUs and groups. Each domain has its own database, and also its own set of defined policies that are applied to all the AD objects within the domain.

Domain controller

A domain controller (DC) object in AD references a server that acts as a domain controller for the domain in which it is placed. The DC maintains the policies, authenticates AD users, and is also takes care of roles that all DCs in a domain should perform.

Site objects

Site objects in AD are objects that are implemented in the Active Directory network to manage and facilitate the process of replication.

Bulletin

Builtin objects, like groups and OUs, are contained objects. Builtin contains local groups that are predefined during the creation of the AD network.

Foreign security principals

Foreign security principal objects are container objects. These objects show the trust relationships that a domain has with other domains in the particular AD network.

Related posts
Active Directory Fundamentals

Active Directory Groups: An explanation

Active Directory Fundamentals

What is Azure Active Directory?

Active Directory Fundamentals

Active Directory Basics: Everything you need to know

Active Directory Fundamentals

DNS and Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *