Tag Archives: Active Directory Objects

Active Directory Basics: Everything you need to know

What you will learn:

An organization will consist of multiple employees, devices, contacts, and large amounts of data. It would need to sort all these resources and information in a structured manner for easy access, and also secure its resources. This is where directory services come into play. A directory service categorically arranges all the resources in a structured and hierarchical manner with functionalities to search easily and locate the resources. It will also provide functionalities for security. Active Directory is one such directory service. In this article, we will take a look at the fundamental definitions you need to know to get started with Active Directory.

What is Active Directory?

Active Directory is a directory service provided by Microsoft. A directory service is a hierarchical arrangement of resources which are structured in a way that makes accessing them easy. However, functioning as a locator service is not AD’s exclusive purpose. It also helps organizations have a central administration over all the activities carried out in their networks.

Organizations primarily use Active Directory to perform authentication and authorization. It is a central database that is contacted before a user identity is verified and granted access to a resource or a service. Once the authenticity of the user is verified, Active Directory helps in determining if the user is authorized to use that particular resource or service. If the user checks out on both counts, access is granted.

What is LDAP?

Active Directory is based on the Lightweight Directory Access Protocol (LDAP). This protocol provides a common language for clients and servers to speak to one another.

LDAP is a lightweight version of the Directory Access Protocol (DAP). DAP is an X.500 protocol. It is an architecture where the clients and servers communicate through the Open Systems Interconnection model. It does not use the TCP/IP standards and requires a large investment. Hence, LDAP was proposed as a lighter version of DAP while retaining the core functionalities of DAP. LDAP is much easier on an organization’s wallet, and it also follows the TCP/IP protocol. You can learn more about LDAP in this article.

What is DNS?

DNS is the entity that helps in the location of services or resources on the network. A DNS servers contain records of all the services that they are responsible for. These are called service resource records (SRV), and they help a client system in locating Active Directory resources such as domain controllers (DC). For this reason, it is imperative for the SRV records to be kept up to date by means of automatic (especially in the case of employees who move around a lot) or manual updates. In addition to SRV records, DNS also contains records such as A record, CNAME record, MX record, and so on which make functioning of the AD environment smoother. You can read more about DNS here.

How does Active Directory work?

Active Directory, or AD in short, allows the storage of resources in a hierarchical manner. While deploying AD, there are two sides to be kept in mind with regards to its structure:

  • The logical side: This side determines how the structure of the directory network is arranged in a hierarchical fashion. The logical side is designed in such a way that the hierarchy allows for certain resources to be placed within other resources, thus allowing for parent-child relationship between the resources. This relationship can be used to administer access rights and permissions easily. It depends on how the organization wants to administer their IT environment.
  • The physical side: This deals with the physical location of hardware such as the servers in the physical world. It is important to design the physical structure carefully in order to ensure performance efficiency between servers and resources.

Objects in Active Directory

Objects are components in the AD network that represent the physical resources that are part of the AD environment. The object’s properties are defined by sets of information called attributes. Some of the common AD objects are as follows:

  • User: Every member of the organization is denoted in AD through a user object. The user object contains the member’s details such as their first name, last name, office, telephone number, and so on.
  • Contact: A contact object is used to store the contact of members that are not part of the organization itself, but are in ways associated with the organization. They may be vendors or suppliers who are not in the employ of the organization. Only the name of the person and the contact details are stored. These contacts, unlike users, are not offered access to network resources.
  • Printer: Refers to the printers in the network. All printers in the organization’s network can be represented using printer objects in the AD environment.
  • Computer: This object contains information about all the computers in the network.
  • Shared folder: This object is a pointer that points towards the location of a shared folder in the AD network. It should be noted that only folders, and not individual files, can be shared. If an individual file needs to be shared, it should be placed within a folder.
  • Group: A group is a collection of directory objects put together so that certain security policies can be assigned to them. For example, an organization would want only a particular department to have access to certain documents. In that case, the network administrator would create a group containing all the department members and add a security policy, providing them access to the file server containing the documents.
  • Organizational units (OUs): OUs help in structuring your network resources in an easy to locate manner. An OU is nothing but a container within which objects such as users, printers, computers, and others can be placed. OUs should be contained within a single domain; they cannot be shared across domains. The hierarchical arrangement of OUs, however, can be followed across domains.

You can learn more about AD objects in this article.

Structure of Active Directory

Think of AD as a forest. A forest has multiple trees, and the trees contain branches and leaves. An AD environment is designed similarly. It may consist of one or more forests that represent the whole organization or an organization’s subsidiaries. Each AD forest is made up of one or more domains (equivalent to trees in a real forest), and each domain consists of various objects (equivalent to leaves in a tree) that are categorized into OUs and groups (equivalent to branches in a tree).

What is a domain?

A domain is a collection of objects in an AD environment. All objects within a domain follow the same policies for security and administrative purposes. Users seeking access to resources of a domain need to be authenticated by a server called a Domain Controller (DC).

Each domain should have at least one domain controller (DC). An organization deploys domains based on its departments or on the geographical locations of its branches. Large scale organizations usually create their domains based on geographical locations.

Let’s say an organization has a forest named example.com. If the organization is an MNC, it would have deployed domains based on geographical locations such as the various countries it is based on. If it is a smaller organization, it would deploy domains based on departments, such as marketing, sales, among other examples.Once the domains have been created, OUs can be nested under the domains for each of the sub-departments to which users, computers, printers and other objects can be added.

1 Star2 Stars3 Stars4 Stars5 Stars (39 votes, average: 4.23 out of 5)

Understanding Active Directory Objects

What you’ll learn:

Active Directory (AD) is a directory service introduced by Microsoft as a centralized network resource management system. This network is comprised of entities that represent real users or network resources, and the entities are called as Active Directory objects. AD objects can be of several types based on what they represent and their function. In this article, we shall understand what AD objects are, learn about the different types of objects in AD, and see how the objects get their properties.

What are Active directory objects?

Active Directory (AD) objects are the building blocks of an Active Directory network. AD objects are entities that represent a resource such as users, computers, or printers that are a part of the AD network. Each object is defined by a set of information about them. These pieces of information are called as object attributes. For example, a user object’s attributes would have their full name, telephone number, address, and more. These attributes are used to identify or search for objects in the AD network using LDAP queries. Each object type has a pre-defined set of attributes associated with it. These attributes are defined by what are called as object classes. You can learn more about object attributes here.

What are object classes?

Every Active Directory network would have what is called a schema. A schema is essentially a database of what attributes each type of object should have in an AD forest. It is a blueprint that gives a skeletal structure for the objects, based on which the objects would be created. Object classes are a part of the schema. Think of it as a template for the objects. Object classes define the attributes that each object should have. There are three types of object classes framed in a hierarchical order: abstract, structural, and auxiliary.

  • Abstract class: An abstract class is a top-level class that contains other abstract or structural classes. It defines only the basic attributes of an object.
  • Structural class: A structural class is the main component that defines an object and what attributes it should have. A structural class always comes under an abstract class or another structural class.
  • Auxiliary class: Auxiliary class contain additional attributes that the other classes can inherit from. These attributes are usually ones that the other classes don’t want to define, but can inherit whenever necessary. Auxiliary classes can be sub classes of an abstract class, or other auxiliary classes.

How can objects be identified in the AD network?

When objects are created in Active Directory, each of them are assigned a 128-bit unique value to them .This value is called as a global unique identifier (GUID). Objects in the network can be identified using their GUID. Among all the objects, there is a special category of objects called as security principals. These objects are those that can be authenticated by an operating system. Users, computers, and groups are security principals. These security principals, apart from having a GUID, are also assigned another unique identifier called as a security identifier (SID). This unique identifier is not assigned to any other object other than users, groups, or computers. SIDs act like security clearances for security principals within the network.

Types of objects in Active Directory

There are two types of AD objects, which are:

  1. Container objects: These objects can contain other objects within them. Groups and organizational units (OUs) are examples of container objects.

  2. Leaf objects: Leaf objects cannot contain other objects. These objects are only representations of resources in the AD network. Users, computers, and printers are examples of leaf objects.

Various objects in Active Directory

The following are some of the common kinds of objects in an AD network:

  • User: A user object represents a user account of an individual who needs access to resources in an AD network. The user account has a user name and is authenticated using a password to prevent unauthorized individuals from accessing the network’s resources. Active Directory has two types of user accounts namely:

    • Administrator account: a full-fledged permanent account that has higher privileges for administrative purposes

    • Guest account: a temporary account that has limited access to resources and limited permissions

  • Computer: A computer object represents a work station or a server computer in the AD network.

  • Contact: A contact object contains contact information of people who are associated with but not a part of the organization. For example, vendors, service technicians, etc.

  • Group: A group object is a container object that contains users, computers, and other groups. Groups are used to manage AD permissions where all the objects within a group will inherit the permissions assigned to the group.

  • Organizational Unit (OU): An organizational unit is also a container object that can contain users, computers, groups, or shared folders. OUs are used for organizational purposes, manage resources within an organization, and delegate control among objects within the OU.

  • Printer: A printer object represents a printer resource in an AD network

  • Shared folder: A shared folder object is a pointer for a specific shared folder that points towards where the folder in question is located. The pointer does not contain any data from the folder.

Difference between groups and organizational units

It can be quite confusing to distinguish between groups and OUs as both are container objects on the surface level. However, there are key differences in the purposes of these two objects.

Groups are used to assign and control permissions to objects within the groups. Groups can also be added to access control lists (ACL) which define the permissions for the objects that are added to it.

Organizational units, as the name suggests, are used to organize AD objects. This organization using OUs is used for activities such as deploying configuration changes or delegating roles. OUs are handy when an administrator wants to delegate administrative roles to a few objects but not give complete administrative access.

One thing to note is that OUs can contain groups and other OUs. However, while groups can contain other groups as sub-groups, they cannot contain OUs within them.

Another key difference is that groups have security identifiers (SID) while OUs don’t have SIDs. An SID is a unique identification value assigned to security principals (users, computers, and groups). Security principals are objects that can be authenticated by a system. Think of SIDs as a security clearance for the objects within the AD network. 

1 Star2 Stars3 Stars4 Stars5 Stars (37 votes, average: 4.32 out of 5)

Active Directory Fundamentals

Every day you walk into your organization, access numerous resources like files, printers and many more. Have you ever thought about the process that goes behind all these? Have you ever thought about how your identity is verified and you are given access to the resources? It is the Active Directory service which does all this.

Read more  

1 Star2 Stars3 Stars4 Stars5 Stars (21 votes, average: 4.76 out of 5)