The primary role of Microsoft Active Directory is to provide a directory of user accounts and tools to restrict user’s access to certain resources on Windows Server based platforms.
Active Directory is divided into containers, which are referred to as ‘organizational units.’ OU’s can contain other OU’s, and use a parent > child inheritance relationship. Each organizational unit is used to store user information and is bound by a special security policy using a Microsoft technology, known as Group Policy.
Group Policy is used to specify what files, folders and applications a particular user may access. User information is stored as objects and each object contains a unique security identifier (SID), which is used as its primary key. Users can be placed in ‘Security Groups’, where restrictions can be applied to all users in a group. There are also ‘Distribution Groups’, which are primarily used for communicating with group members.
Groups also have scope, for which there are three different types:
Global groups can only include members from the domain in which it is created, but may have permissions to resources in any domain.
Domain Local groups
Domain Local groups can include members from any domain but members only have permissions to resources that reside in the same domain.
Universal groups can include members from any domain and may have permissions to resources that are located in any domain.
Each Active Directory object will be associated with a domain, which can be connected to other domains via ‘trust relationships’. Domain’s use a special type of server called a Domain Controller (DC) – stored as an object within the domain itself – to authenticate and authorize access to the domain’s resources.
Active Directory is clearly an important tool for managing the security of your network. However, AD has limited auditing capabilities. If you need real-time security alerts, compliance reports and network health monitoring, you will need to invest in a more advanced suite of auditing solutions, such as LepideAuditor for Active Directory.