Access control entry (ACE) In Windows-based systems, an entry in an access control list containing the security identifier for a user or group and an access mask that specifies which operations by the user or group are allowed, denied, or audited. All objects in the Active Directory are protected by a security descriptor – the security descriptor contains an access control list which contains access control entries (ACEs) – these ACEs collectively specify the set of permissions that various security principals (users, groups, computers) have on that object. Access control list (ACL) ACL decide which user or computer or group has what right. In Windows-based systems, a list of access control entries that apply to an entire object, a set of the object's properties, or an individual property of an object, which define the access granted to one or more security principals. All objects in the Active Directory are protected by a security descriptor – the security descriptor contains an access control list which contains access control entries (ACEs) – these ACEs collectively specify the set of permissions that various security principals (users, groups, computers) have on that object. Access token A data structure that contains authorization information for a user or group. A system uses an access token to control access to securable objects and to control the ability of a user to perform various system-related operations on a local computer. Active Directory Active Directory (AD) is a technology created by Microsoft to provide network services including LDAP directory services, Kerberos based authentication, DNS naming, secure access to resources, and more. Active Directory uses a single Jet database which a variety of services and applications can use to access and store a variety of information. Active Directory is used by system administrators to store information about users, assign security policies, and deploy software. AD is used in many different types and size of environments from the very small (a dozen users) to hundreds of thousands of users. Active Directory Application Mode (ADAM) A stand-alone directory service that is designed specifically for use with directory-enabled applications. Active Directory Application Mode (ADAM) does not require or depend on Active Directory forests or domains. ADAM stores and replicates only application-related information. ADAM does not store or replicate network operating system (NOS)-related information. Active Directory Application Mode (ADAM) instance For Active Directory Application Mode (ADAM), a single copy of the ADAM directory service, along with its associated directory store, assigned Lightweight Directory Access Protocol (LDAP) and Secure Sockets Layer (SSL) ports, and application event log. You can run multiple ADAM instances simultaneously on a single computer. Active Directory Service Interfaces (ADSI) A client-side product based on the Component Object Model (COM). ADSI defines a directory service model and a set of COM interfaces that enable Windows NT and Windows 95 client applications to access several network directory services, including Active Directory. ADSI allow applications to communicate with Active Directory. ADAMSync An ADAM administration tool that synchronizes objects from Active Directory to an Active Directory Application Mode instance. Application partition (in Active Directory) In Windows Server 2003, Active Directory supports application directory partitions. Typically, data in a given application directory partition is managed through the application that created it or that uses it. Application directory partitions provide the ability to control the scope of replication and allow the placement of replicas in a manner more suitable for dynamic data. As a result, the application directory partition provides the capability of hosting dynamic data in Active Directory, thus allowing ADSI/LDAP access to it, without significantly impacting network performance. Application directory partitions hold the data that is used by applications. An application directory partition can contain a hierarchy of any type of objects, except security principals, and can be configured to replicate to any set of domain controllers in the forest. Unlike a domain partition, an application directory partition is not required to replicate to all domain controllers in a domain and the partition can replicate to domain controllers in different domains of the forest. Application partition (in ADAM) Application directory partitions hold the data that is used by applications. Application partitions can be established during ADAM setup or at any time after installation. Typically, data in a given application directory partition is managed through the application that created it or that uses it. After the application directory partition is created, ADAM holds the application partition reference objects in CN=Partitions, CN=Configuration. Attribute A single property of an object. An object is described by the values of its attributes. For example, a car can be described by its attributes: make, model, color, and so on. The term attribute is often used interchangeably with property, which means the same thing. Attributes are also data items used to describe the objects that are represented by the classes defined in the schema For example, every computer joined to the directory is represented in the directory by a corresponding computer object. A computer object is a collection of various attributes that collectively store some useful information about the computer that they represent. For example, a computer object has an attribute called “Machine-Role” which serves to provide a description of the machine (such as Workstation or Server). Similarly, all objects in the Active Directory are a collection of attributes. Attributes are defined in the schema separately from the classes; this allows a single attribute definition to be applied to many classes. Authentication The process for verifying that an entity or object is who or what it claims to be. Authentication protocol The protocol by which an entity on a network proves its identity to a remote entity. Typically, identity is proved with the use of a secret key, such as a password, or with a stronger key, such as the key on a smart card. Some authentication protocols also implement mechanisms to share keys between client and server to provide message integrity or privacy. Authorization The process of granting a person, computer process, or device access to certain information, services, or functionality. Authorization is derived from the identity of the person, computer process, or device requesting access, which is verified through authentication. Binding In LDAP, binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client's privileges. See also: Lightweight Directory Access Protocol (ADAM) Configuration partition (in Active Directory) The configuration directory partition holds information about an entire Active Directory forest, including replication scheduling and site-related information, and information that defines the cross-references and other forest-related configuration information. Configuration partition (in ADAM) The configuration directory partition holds information about ADAM replication scheduling and replica sets, information that defines the other partitions in the replication set, information about the users and groups in the replica set, and other information. Configuration set In Active Directory Application Mode (ADAM), a set of ADAM instances that share and replicate a common schema partition and a common configuration partition. Container A special type of Active Directory object. A container is like other directory objects in that it has attributes and is part of the Active Directory namespace. However, unlike other objects, it does not usually represent something concrete. The only purpose of a container object is to contain other directory objects and other containers. csvde A command-line tool for importing and exporting directory contents, such as schema definitions and directory objects, that are stored as comma-separated value (CSV) files. Database layer An architectural layer of Active Directory that isolates the upper layers of the directory service from the underlying database system by exposing application programming interfaces (APIs) to the Directory System Agent (DSA) layer so that no calls are made directly to the Extensible Storage Engine (ESE). Delegation In Active Directory, a capability that enables a higher administrative authority to grant specific administrative rights to perform specific administrative tasks (usually on specific subjects) to individuals and groups. This eliminates the need for domain administrators with sweeping authority over large segments of the user population. Access control entries (ACEs) can grant specific administrative rights on the objects in a container to a user or group. Rights are granted for specific operations on specific object classes via ACEs in the container’s Access Control List (ACL). Digest Access Protocol (DAP) A lightweight authentication protocol for parties involved in communications that are based on Hypertext Transfer Protocol (HTTP) or Simple Authentication and Security Layer (SASL). Directory A hierarchical structure that stores information about objects on the network. Directory partition A contiguous sub-tree of the directory that forms a unit of replication. A given replica is always a replica of some directory partition. Directory service Both the directory information source and the service that makes the information available and usable. A directory service enables the user to find an object when given any one of its attributes. For example, a directory service can be used to obtain a list of all users or computers that belong to a specific branch office in a company. Directory Services Markup Language (DSML) An open, extensible, standards-based format for publishing directory service schemas and exchanging directory contents. Directory-enabled application An application that reads, writes, or modifies data that is stored in a directory service. Directory enabled applications typically leverage the storage and search capabilities of a directory service. An example of a directory enabled application would be one that provides a rich set of user-specific information by querying a directory service for the pertinent information – for example, it could provide a report of all users in a specific business group, or all users on a project, or all computers in a specific location or with a specific service pack applied, etc. Domain Name System (DNS) Hierarchical distributed database used for name/address translation and client-server rendezvous. Domain Name System is the namespace used on the Internet to translate computer and service names into TCP/IP addresses. Active Directory uses DNS as its location service, and so clients find domain controllers via DNS queries. DSML See definition for: Directory Services Markup Language (DSML) Extensible Storage Engine (ESE) The Active Directory database engine. ESE (Esent.dll) is an improved version of the Jet database that is used in Microsoft Exchange Server versions 4.x and 5.5. It implements a transacted database system, which means that it uses log files to ensure that committed transactions are safe. Firewall A security solution which segregates one portion of a network from another portion, allowing only authorized network traffic to pass through according to traffic filtering rules. Forest A group of one or more Active Directory trees that trust each other. All trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All trees in a given forest trust each other through transitive bidirectional trust relationships. Unlike a tree, a forest does not need a distinct name. A forest exists as a set of cross-referenced objects and trust relationships known to the member trees. Trees in a forest form a hierarchy for the purposes of trust. Global Catalog (GC) The global catalog contains a partial replica of every Windows 2000 /Windows 2003 domain in the directory. The GC lets users and applications find objects in an Active Directory domain tree, given one or more attributes of the target object. It also contains the schema and configuration of directory partitions. This means the global catalog holds a replica of every object in the Active Directory, but with only a small number of their attributes. The attributes in the global catalog are those most frequently used in search operations (such as a user’s first and last names, logon names, and so on), and those required to locate a full replica of the object. The GC allows users to find objects of interest quickly without knowing what domain holds them and without requiring a contiguous (a single logical directory tree, as opposed to a set of directory trees) extended namespace in the enterprise. The global catalog is built automatically by the Active Directory replication system. Global Catalog server A Windows 2000 / Windows 2003 domain controller that holds a copy of the global catalog for the forest. Globally Unique Identifier (GUID) A 16-byte value generated from the unique identifier on a device, the current date and time, and a sequence number. A GUID is used to identify a particular device, component, user, or session. Group A collection of users, computers, contacts, and other groups. Groups can be used as security or as email distribution collections. Distribution groups are used only for email. Security groups are used both to grant access to resources and as email distribution lists. Group memberships The groups to which a user account belongs. Permissions and rights granted to a group are also provided to its members. In most cases, the actions a user can perform in Windows are determined by the group memberships of the user account to which the user is logged on. Group Policy object (GPO) A logical concept that is used to represent a single collective set of computer and/or user policies. It is given a unique name, such as a globally unique identifier (GUID). A GPO can be associated with one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be associated with the same GPO, and a single container can have more than one associated GPO. In addition, by default every computer receives a local Group Policy object (LGPO) that contains only security-specific policies. It is also possible for the administrator to set and apply different local group policies on individual computers. This is useful for computers that are not members of a domain, or computers that the administrator wishes to exempt from Group Policy inherited from the domain. Hierarchical namespace Any namespace that is hierarchically structured and provides rules that allow the namespace to be partitioned. Both the DNS namespace and the Active Directory namespace are examples of a hierarchical namespace. HotFix A single cumulative package composed of one or more files used to address a problem in a product. Hotfixes address a specific customer situation and may not be distributed outside the customer organization. The terms QFE, patch and update have been used in the past as synonyms for hotfix. Kerberos A security system that authenticates users. Kerberos doesn’t provide authorization to services or databases; it establishes identity at logon, which is used throughout the session. The Kerberos protocol is the primary authentication mechanism in the Windows 2000 and Windows 2003 operating systems. Knowledge Consistency Checker (KCC) A built-in service that runs on all domain controllers and automatically establishes connections between individual machines in the same site. These are known as Windows 2000 and Windows 2003 Directory Service connection objects. An administrator may establish additional connection objects or remove connection objects. At any point, however, where replication within a site becomes impossible or has a single point of failure, the KCC will step in and establish as many new connection objects as necessary to resume Active Directory replication. LDP ldp.exe is a graphical user interface (GUI) tool for general administration of a Lightweight Directory Access Protocol (LDAP) directory service. ldifde A command-line tool for importing and exporting directory contents to and from Active Directory / ADAM, such as schema definitions and directory objects, that are stored as LDAP Data Interchange Format (LDIF) files. Lightweight Directory Access Protocol (LDAP) An industry-standard protocol established by the Internet Engineering Task Force (IETF) that allows users to query and update information in a directory service. LDAP is the primary access protocol for Active Directory; Active Directory supports both LDAP version 2 and LDAP version 3. Microsoft Digest A security support provider (SSP) that implements the Digest Access protocol. Microsoft Digest provides a simple challenge- response mechanism for authenticating clients, and it is intended for use by client/server applications that use communications that are based on Hypertext Transfer Protocol (HTTP) or Simple Authentication and Security Layer (SASL). Mixed mode Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. In mixed mode, the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode. Multi-master replication (in Active Directory) A feature of Active Directory that provides and maintains copies of the directory across multiple servers in a domain. Since all replicas of a given directory partition are writable, updates can be applied to any replica of a given partition. The Active Directory replication system propagates the changes from a given replica to all other replicas. Replication is automatic and transparent. Active Directory multi-master replication propagates every object (such as users, groups, computers, domains, organization units, security policies, and so on) created on any domain controller to each of the other participating domain controllers. If one domain controller in a domain slows or fails, other domain controllers in the same domain can provide the necessary directory access because they contain the same directory data. Multi-master replication (in ADAM) A feature of Active Directory Application Mode that provides and maintains copies of the directory across multiple servers in a configuration set. Since all replicas of a given configuration set are writable, updates can be applied to any replica of a given partition in a replication set. The Active Directory Application Mode replication system propagates the changes from a given replica to all other replicas. Replication is automatic and transparent. Active Directory Application Mode multi-master replication propagates every object created on any ADAM instance to each of the other participating ADAM instances that span a replica set. If one ADAM instance slows or fails, other ADAM instances in the same replica set can provide the necessary directory access because they contain the same directory data. Namespace A name, or group of names, that is defined according to some naming convention; any bounded area in which a given name can be resolved. Active Directory is primarily a namespace, as is any directory service. A telephone directory is also a namespace. The Internet uses a hierarchical namespace that partitions names into categories known as top-level domains such as .com, .edu, and .gov, which are at the top of the hierarchy. Name resolution The process of translating a name into some object or information that the name represents. A telephone book forms a namespace in which the names of telephone subscribers can be resolved into telephone numbers. The Windows NTFS file system forms a namespace in which the name of a file can be resolved into the file itself. Similarly, Active Directory forms a namespace in which the name of an object in the directory can be resolved into the object itself. Native mode When all the domain controllers in a given domain are running Windows 2000 or when all the domain controllers in a given domain are running Windows Server 2003. This mode allows organizations to take advantage of Active Directory features such as Universal groups, nested group membership, and inter-domain group membership. Network Service account A predefined local account that is used to start a service and provide the security context for that service. The name of the account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer and authenticated access (as the computer account) to network resources. Object A distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. The attributes hold data describing the thing that is identified by the directory object. Attributes of a user might include the user’s given name, surname, and e-mail address. Object identifier (OID) A number that identifies an object class or attribute. Object identifiers (OIDs) are organized into an industry-wide global hierarchy. An object identifier is represented as a dotted decimal string, such as 126.96.36.199, with each dot representing a new branch in the hierarchy. National registration authorities issue root object identifiers to individuals or organizations, who manage the hierarchy below their root object identifier. Organizational unit (OU) A container object that is an Active Directory administrative partition. OUs can contain users, groups, resources, and other OUs. Organizational units enable the delegation of administration to distinct sub-trees of the directory. Parent-child trust relationship The two-way, transitive trust relationship that is established when you add a domain to an Active Directory tree. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new child domain) and the parent domain. Partition A complete unit of replication within the store. See also: application partition, configuration partition, directory partition, schema partition Permissions Authorization to perform operations associated with a specific shared resource, such as a file, directory, or printer. Permissions must be granted by the system administrator to individual user accounts or administrative groups. Relative Distinguished name (RDN) The part of the name of an object that is an attribute of the object itself. The attribute that provides the RDN for an object is referred to as the naming attribute. Remote Procedure Call (RPC) A communication mechanism that allows computers to communicate with one another over a network. An RPC consists of a procedure identifier, parameters passed to the procedure, and a value returned to the caller (client computer) after the procedure has executed on the remote system (server computer). Replica In Active Directory replication, one instance of a logical Active Directory partition that is synchronized by means of replication between domain controllers that hold copies of the same directory partition. Replication In database management, the function that keeps distributed databases synchronized by routinely copying the entire database or subsets of the database to other servers in the network. There are several methods of replication, including primary site replication, shared or transferred ownership replication, symmetric replication, (also known as update-anywhere or peer-to-peer replication), and failover replication. Schema The Active Directory schema contains the definitions for all objects in the directory. Every new directory object created is validated against the appropriate object definition in the schema before being written to the directory. The schema is made up of object classes and attributes. The base (or default) schema contains a rich set of object classes and attributes to meet the needs of most organizations, and is modeled after the International Standards Organization (ISO) X.500 standard for directory services. Because it is extensible, you can modify and add classes and attributes to the base schema. Schema partition The schema directory partition holds the definitions for the type of data that can be held by the directory store. Both the Active Directory and ADAM services rely on the definitions in their respective schema partitions for maintaining data consistency. In addition, applications can refer to the schema partition to determine the type of data that the Active Directory forest or the ADAM instance allows. The schema can be extended to allow Active Directory and ADAM to hold data that is specific to a particular application. Schema cache An in-memory copy of the schema on the domain controller. To improve performance on schema operations (such as new object validation), each domain controller holds a copy of the schema in memory (in addition to the copy it holds on disk). This cached version is automatically updated (after a small time interval) each time you update the schema. Additionally, you can reload the updated schema to cache manually for immediate effect. Secure Sockets Layer (SSL) A protocol that provides secure data communication through data encryption. This protocol enables authentication, integrity, and data privacy over networks through a combination of digital certificates, public-key cryptography, and bulk data encryption. This protocol does not provide authorization or non-repudiation. Security context The security attributes or rules that are currently in effect. For example, the rules that govern what a user can do to a protected object are determined by security information in the user's access token and in the object's security descriptor. Together, the access token and the security descriptor form a security context for the user's actions on the object. Security descriptor A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object's owner and primary group. It can also contain a discretionary access control list (DACL) that controls access to the object, and a system access control list (SACL) that controls the logging of attempts to access the object. Security Identifier (SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name. Security package The software implementation of a security protocol. Security packages are contained in security support provider dynamic-link libraries (DLLs) or in security support provider/authentication package DLLs. Security principal The term security principal refers to any object that has a security identifier (SID) and that can be assigned permissions to directory (and all MS Windows securable) objects. A security principal can be a user, group, service, or computer. Security protocol A specification that defines security-related data objects and rules about how the objects are used to maintain security on a computer system. Security Support Provider (SSP) A dynamic-link library (DLL) that implements the Security Support Provider Interface (SSPI) by making one or more security packages available to applications. Each security package provides mappings between an application's SSPI function calls and an actual security model's functions. Security packages support security protocols such as Kerberos and NTLM. Security Support Provider Interface (SSPI) A common interface between transport-level applications, such as Microsoft Remote Procedure Call (RPC), and security support providers (SSPs), such as Windows Distributed Security. SSPI allows a transport application to call one of the SSPs to obtain an authenticated connection. These calls do not require extensive knowledge of the security protocol's details. Service Account An account (either a local Windows account or a domain account) in whose security context a service runs on a Windows machine. Service Principal Name (SPN) A way of referring to a service principal. SPN structures generally follow Internet Engineering Task Force (IETF) naming conventions, and they often include the name of the computer on which the service is running. SPNs may be used to request Kerberos tickets, and they are required for mutual authentication. Simple Authentication and Security Layer (SASL) An open framework, described in Request for Comments (RFC) 2222, for adding authentication support to connection-based protocols. Single-master operations Active Directory operations that are single-master, that is, not permitted to occur at different places in the network at the same time. Examples of these operations include relative identifier (RID) allocation, schema modification, and certain infrastructure changes. Site A location in a network holding Active Directory servers. A site is defined as one or more well connected TCP/IP subnets. Well-connected means that network connectivity is highly reliable and fast (LAN speeds, 10 MM bits-per-second or greater). Sites play a major role in the Active Directory replication service, which differentiates between replication using a local network connection (intra-site replication) and replication over a slower wide area network (WAN) link (inter-site replication). Administrators use the Active Directory Sites and Services Manager snap-in to administer replication topology for both intra- and inter-site replication. Site Link An object in Active Directory that contains information about the link between two Active Directory sites. Information contained in a site-link includes such information as what connections are available, which ones are preferred, and how much bandwidth is available. Active Directory uses this information to choose times and connections for replication that will afford the best performance. Synchronization The act of synchronizing data between two or more logically connected data stores. Transitive trust The trust relationship that inherently exists between Windows 2000 and/or Windows Server 2003 domains in a domain tree or forest, or between trees in a forest, or that can exist between forests. When a domain joins an existing forest or domain tree, a transitive trust is automatically established. Transitive trusts are always two-way relationships. This series of trusts, between parent and child domains in a domain tree and between root domains of domain trees in a forest, allows all domains in a forest to trust each other for the purposes of authentication. For example, if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C. Tree A set of Windows NT /2000/2003 domains connected together through transitive, bidirectional trust, sharing a common schema, configuration, and global catalog. The domains must form a contiguous hierarchical namespace such that if a.com is the root of the tree, b.a.com is a child of a.com, c.b.a.com is a child of b.a.com, and so on. Well-connected Sufficient connectivity to make your network and Active Directory useful to clients on your network. The precise meaning of the term is determined by your particular needs. X.500 A set of standards defining a distributed directory service, developed by the International Standards Organization (ISO).
Pages to are hidden for
"Access control entry"Please download to view full document