Active directory is a centralized database where we can manage information of the objects like users, groups, computers, printers.. etc. Active directory service should be installed and configured on Windows server for managing all our network objects.
Active directory service was initially developed by Microsoft for authenticating the windows networks resources. It also authenticates and authorizes all computers and users in windows network environment.
Active directory is a hierarchical Directory Database which is centralized.
Whenever a user login to an organization system with domain user id and password, those credentials are verified by active directory service and appropriate action is taken.
⇒ To organize and manage user accounts, computers, groups and network resources.
⇒ Enables authorized users to easily locate and access network resources.
As AD primarily deals with authentication and authorizations, let us try to understand about these 2 terminologies and remove the ambiguity around them.
It is nothing but Checking for the validation or Providing your Identify.
⇒ Authentication is nothing but having a key to a lock kind of thing. With that right key, we can enter into Office.
⇒ Showing our Id proof to anybody is kind of authenticating ourselves.
It will check for the permissions on network resources.
⇒ Though we have entered into office with authenticated key/card, we are not allowed into every room (Eg: Security monitoring room).
⇒ My passport authenticates myself but I may not be allowed to enter into business class unless I book one. i.e, not authorized to enter into business class.
Hope the above examples will clarify the mess around authentication and authorizations.
Active directory objects can be categorized as
1.Leaf objects: These are the individual objects in an organization like user, printer, and computer.
2.Container Objects: This Object will contain other objects like group or Organizational units.
3. Security Principal Objects: Object where you can apply the security policies like user and Computer.
Understanding between leaf object and security principal object with example,
We have created a new user account on the system. It is referred as leaf object.
We have applied security policies to that user account then will be treated as security principal object.
Security principal object can also be inferred as leaf object.
i. Active Directory supports various types of Objects like Users, Groups, Computers, Printers, Shared Folders, Contacts, and Organizational Units.
ii. User Object: User object represents individuals who need access to the resources in a network. Each user account has a username and a password.
The purpose behind creating user accounts is to authenticate the identity of the user and authorize the access to the network resources.
Active Directory supports two types of built-in user accounts – Administrator and Guest account.
iii. Computer: A computer object represents the workstation. By using computer account only, we will authorize and authenticate the network resources.
iv. An example of network resources are- printers, scanners, shared folders etc.
v. Group: A group account represents a collection user accounts, contacts, computers, and other group information, all the things can be managed by a group.
vi. Contact: It contains the information about the people who are working in the organization. A contact object does not have SID Associated it.
vii. Shared Folder: It is used to share the files over through the network from the server.
viii. Printer: It is used to print the files in the network.
Printer image & screen shot of print object setup.
Container Objects come with domain controller configuration. These are the default active directory groups available.
Types of pre-installed container objects:
1. Domain controllers – contains all the domain controllers in Active directory.
2. Computers – Individual workstations or computers in the active directory.
3. Users – All windows NT users
4. Builtin – Builtin local groups
5. Foreign security principal – contains all the security principal objects from the external trusted domains.
6. Managed services accounts