So let’s start with what is an Active Directory?
It has information about all the objects like – users, computers, and resources like – Printers, Shared Files/Folders – in an organization’s network. It is similar to a telephone directory. It is software to arrange, store information, provides access and permissions based on that information. It also arranges all the networks users, computers and other objects into logical hierarchical groupings. Active Directory information is used to authenticate or authorize the users, computers, Resources which are part of a network.
Let’s discuss Active Directory Objects: –
These are physical entities of a network. It can be described by a set of attributes; objects like – Forest, Domain, Organizational unit, User, group, Contact, Computer, Shared folder, Printer, Subnet, Site.
The Active Directory Objects are explained with the help of their attributes like – Name, location, department etc.
Following are the active directory-best practice
• Container Object –
It can contain other objects like users, computers etc.
• Leaf Objects –
It cannot contain other objects for example – Users, computers etc.
• Security Principle Objects –
These are the objects that can be authenticated and assigned permissions.
Each object has a GUID – 128-bit – which stands for Globally Unique Identifier. And
SID – This stands for Security Identifier for each security principal object.
Active Directory structures are nothing but the arrangements of information about objects.
Let’s discuss these Active Directory objects:
- Active Directory Forest: –
It is the highest level of security boundary and a complete active directory instance. It contains objects like Domains, users, computers, printers and other network resources. Information and data exchange can happen only between the objects inside a forest. For communicating with objects in other forests, precisely created forest level trusts are required. It can contain one or more domains or a combination of domains or domain trees. The schema or design of an Active Directory is consistent throughout the forest.
- Active Directory Domain: –
It is a logical grouping of objects administrative boundary for objects. No limit on the number of objects that can be combined in a domain. It is not compulsory to have the Objects in a same physical location. The domain controller is the domains’ supreme authority. The domain controller is responsible for all the authentications, authorizations, additions, deletions, edits, modifications inside a domain.
If a user has access to a domain, he can log on from anywhere and any computer in that domain.
The permissions, policies and right can be set for all the objects at the domain level or at the individual object level as well.
- Domain Tree: –
It is parent domain – child domains tree structure or nested domains. Objects in different domains communicate through trusts which are transitive, non-transitive, two ways and one way.
By default all the domains in a forest are connected by transitive trusts. All domains in a domain tree share a contiguous namespace.
In short, a domain has following components:
• A hierarchical structure of containers, objects and a unique domain name.
• A security mechanism to authenticate and authorize access to domain resources.
• Policies that show how the functionality is allowed or restricted for users, computers in a domain.
- Active Directory Organizational Unit (OU): –
Organizational units can appear only inside a domain. It can be used to denote a specific department, location, team, function etc. OUs are unique inside a domain. Contains other objects like users, groups, contacts, computers, printers, shared folders etc.
An OU can contain another OU or OUs. Nested OUs have parent – child relationship. All OUs inside a domain are connected. Group policy settings can be set at the OU level. Delegation of administrative control is possible in OU.
Child OU or OUs inherit the properties of the parent OU
- Active Directory User: –
User is an individual or a person who is part of the organization, gets a unique identity in the domains through his user account. Access the domains resources through a user account. Each user is allowed inside a domain only after authentication based access and it is allowed to access the domains’ resources like shared folders, printers, computers, applications etc. based on his authorizations.
Each user account has a unique SID which authorizes, allows or denies the user access to the network objects and resources. Each user account is unique and is secured by a password.
- Active Directory Computer: –
Individual computer or workstations or servers that are part of a network. Each computer has a unique computer account. Computer account allows each computer to be authenticated and authorized for access to the domain and domain resources. A server could be a domain controller or global catalog server or a member server.
- Active Directory Contact: –
An individual who is not part of the organization but related to the organization for example: customer, supplier, vendor etc. Unlike a user a contact cannot be assigned permissions or authorizations or restrictions.
- Active Directory Group: –
It contains users and computers which are called members of the group. All permissions, authorizations and restrictions placed on the groups apply to all the members of the group.
There are 2 types of groups: –
1. Security Groups: –
These are used to grant permissions and restrictions on user through resources.
2. Distribution Groups: –
These are used to send email messages to a group of users.
What are the scopes of the Group?
Group Scopes: –
Domain local group –
To give access to resources in the same domain as the group, users can be from different domains.
Global Group: –
To give access to resources those are in different domains to users from a specific domain.
Universal Group: –
It is used to give access to resources located in different domains to group of users from different domains.
Why should we use Active Directory Services?
1. Highly Secure: – It is possible to have layered security that can have policies and permissions for security at different levels.
2. Objects can be located anywhere physically yet access the domain or networks’ resources securely.
3. Millions of users can be added to a single domain, easily scalable, highly flexible, and readily extensible.
4. Easy efficient search mechanism to locate an object.
5. Centralized storage: – For users, departments, which makes backup and restore efficient, fast and easy.
6. Efficient and effective management of services because of centralized management of services.
7. Serves as a platform for services like exchange, SharePoint etc.
8. Enable Single Sign-On (SSO) and pre and post-action scripts like logon scripts.
9. Individual profiles: – Users can have the same environmental settings immaterial of which computer or location they logon from.
10. Mandatory Profiles: – It is also possible to restrict the environment that makes only a specific set of applications and services to a set of users or computers.
11. Centralized Auditing: – Which makes it easier to track all the operations.
Where can Active Directory Services be used?
- At any organization that has a network setup.
- Organizations that requires 24 *7 up time.
- Any organization where the number of users, computers or resources will keep changing.
- Any organization where information or data security is vital.
- Any organization that operates in multiple locations.
Active Directory is perfectly fit for corporate, government organizations, educational institutions, research organizations, healthcare institutions, Non- Government organizations. Active Directory services are the one-stop solution for a secure, easy, efficient and effective, flexible, scalable, cost-effective management and control mechanism to control all the objects, resources and information in an organization or network.
I think this information about Active Directory must have solved many of your queries. If you have some suggestions feel free to leave a comment in the comment section below. Thank you for reading the blog!