Access control entry by wajeeha713


									Access control entry (ACE)
In Windows-based systems, an entry in an access control list containing the security identifier for a user or group and an
access mask that specifies which operations by the user or group are allowed, denied, or audited. All objects in the Active
Directory are protected by a security descriptor – the security descriptor contains an access control list which contains access
control entries (ACEs) – these ACEs collectively specify the set of permissions that various security principals (users, groups,
computers) have on that object.
Access control list (ACL)
ACL decide which user or computer or group has what right. In Windows-based systems, a list of access control entries that
apply to an entire object, a set of the object's properties, or an individual property of an object, which define the access
granted to one or more security principals. All objects in the Active Directory are protected by a security descriptor – the
security descriptor contains an access control list which contains access control entries (ACEs) – these ACEs collectively
specify the set of permissions that various security principals (users, groups, computers) have on that object.
Access token
A data structure that contains authorization information for a user or group. A system uses an access token to control access
to securable objects and to control the ability of a user to perform various system-related operations on a local computer.
Active Directory
Active Directory (AD) is a technology created by Microsoft to provide network services including LDAP directory services,
Kerberos based authentication, DNS naming, secure access to resources, and more. Active Directory uses a single Jet
database which a variety of services and applications can use to access and store a variety of information. Active Directory is
used by system administrators to store information about users, assign security policies, and deploy software. AD is used in
many different types and size of environments from the very small (a dozen users) to hundreds of thousands of users.
Active Directory Application Mode (ADAM)
A stand-alone directory service that is designed specifically for use with directory-enabled applications. Active Directory
Application Mode (ADAM) does not require or depend on Active Directory forests or domains. ADAM stores and replicates
only application-related information. ADAM does not store or replicate network operating system (NOS)-related information.
 Active Directory Application Mode (ADAM) instance
For Active Directory Application Mode (ADAM), a single copy of the ADAM directory service, along with its associated
directory store, assigned Lightweight Directory Access Protocol (LDAP) and Secure Sockets Layer (SSL) ports, and
application event log. You can run multiple ADAM instances simultaneously on a single computer.
 Active Directory Service Interfaces (ADSI)
A client-side product based on the Component Object Model (COM). ADSI defines a directory service model and a set of
COM interfaces that enable Windows NT and Windows 95 client applications to access several network directory services,
including Active Directory. ADSI allow applications to communicate with Active Directory.
An ADAM administration tool that synchronizes objects from Active Directory to an Active Directory Application Mode
Application partition (in Active Directory)
In Windows Server 2003, Active Directory supports application directory partitions. Typically, data in a given application
directory partition is managed through the application that created it or that uses it. Application directory partitions provide the
ability to control the scope of replication and allow the placement of replicas in a manner more suitable for dynamic data.
As a result, the application directory partition provides the capability of hosting dynamic data in Active Directory, thus allowing
ADSI/LDAP access to it, without significantly impacting network performance. Application directory partitions hold the data
that is used by applications. An application directory partition can contain a hierarchy of any type of objects, except security
principals, and can be configured to replicate to any set of domain controllers in the forest.
Unlike a domain partition, an application directory partition is not required to replicate to all domain controllers in a domain and
the partition can replicate to domain controllers in different domains of the forest.
 Application partition (in ADAM)
Application directory partitions hold the data that is used by applications. Application partitions can be established during
ADAM setup or at any time after installation. Typically, data in a given application directory partition is managed through the
application that created it or that uses it. After the application directory partition is created, ADAM holds the application
partition reference objects in CN=Partitions, CN=Configuration.
A single property of an object. An object is described by the values of its attributes. For example, a car can be described by its
attributes: make, model, color, and so on. The term attribute is often used interchangeably with property, which means the
same thing. Attributes are also data items used to describe the objects that are represented by the classes defined in the
schema For example, every computer joined to the directory is represented in the directory by a corresponding computer
A computer object is a collection of various attributes that collectively store some useful information about the computer that
they represent. For example, a computer object has an attribute called “Machine-Role” which serves to provide a description
of the machine (such as Workstation or Server).
Similarly, all objects in the Active Directory are a collection of attributes. Attributes are defined in the schema separately from
the classes; this allows a single attribute definition to be applied to many classes.
The process for verifying that an entity or object is who or what it claims to be.
 Authentication protocol
The protocol by which an entity on a network proves its identity to a remote entity. Typically, identity is proved with the use of
a secret key, such as a password, or with a stronger key, such as the key on a smart card. Some authentication protocols also
implement mechanisms to share keys between client and server to provide message integrity or privacy.
The process of granting a person, computer process, or device access to certain information, services, or functionality.
Authorization is derived from the identity of the person, computer process, or device requesting access, which is verified
through authentication.
In LDAP, binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated,
allows the client access to the LDAP server based on that client's privileges.
See also: Lightweight Directory Access Protocol (ADAM)
Configuration partition (in Active Directory)
The configuration directory partition holds information about an entire Active Directory forest, including replication scheduling
and site-related information, and information that defines the cross-references and other forest-related configuration
Configuration partition (in ADAM)
The configuration directory partition holds information about ADAM replication scheduling and replica sets, information that
defines the other partitions in the replication set, information about the users and groups in the replica set, and other
Configuration set
In Active Directory Application Mode (ADAM), a set of ADAM instances that share and replicate a common schema partition
and a common configuration partition.
A special type of Active Directory object. A container is like other directory objects in that it has attributes and is part of the
Active Directory namespace. However, unlike other objects, it does not usually represent something concrete. The only
purpose of a container object is to contain other directory objects and other containers.
A command-line tool for importing and exporting directory contents, such as schema definitions and directory objects, that are
stored as comma-separated value (CSV) files.
Database layer
An architectural layer of Active Directory that isolates the upper layers of the directory service from the underlying database
system by exposing application programming interfaces (APIs) to the Directory System Agent (DSA) layer so that no calls are
made directly to the Extensible Storage Engine (ESE).
In Active Directory, a capability that enables a higher administrative authority to grant specific administrative rights to perform
specific administrative tasks (usually on specific subjects) to individuals and groups. This eliminates the need for domain
administrators with sweeping authority over large segments of the user population.
Access control entries (ACEs) can grant specific administrative rights on the objects in a container to a user or group. Rights
are granted for specific operations on specific object classes via ACEs in the container’s Access Control List (ACL).
Digest Access Protocol (DAP)
A lightweight authentication protocol for parties involved in communications that are based on Hypertext Transfer Protocol
(HTTP) or Simple Authentication and Security Layer (SASL).
A hierarchical structure that stores information about objects on the network.
Directory partition
A contiguous sub-tree of the directory that forms a unit of replication. A given replica is always a replica of some directory
Directory service
Both the directory information source and the service that makes the information available and usable. A directory service
enables the user to find an object when given any one of its attributes. For example, a directory service can be used to obtain
a list of all users or computers that belong to a specific branch office in a company.
Directory Services Markup Language (DSML)
An open, extensible, standards-based format for publishing directory service schemas and exchanging directory contents.
 Directory-enabled application
An application that reads, writes, or modifies data that is stored in a directory service. Directory enabled applications typically
leverage the storage and search capabilities of a directory service. An example of a directory enabled application would be
one that provides a rich set of user-specific information by querying a directory service for the pertinent information – for
example, it could provide a report of all users in a specific business group, or all users on a project, or all computers in a
specific location or with a specific service pack applied, etc.
 Domain Name System (DNS)
Hierarchical distributed database used for name/address translation and client-server rendezvous. Domain Name System is
the namespace used on the Internet to translate computer and service names into TCP/IP addresses. Active Directory uses
DNS as its location service, and so clients find domain controllers via DNS queries.
See definition for: Directory Services Markup Language (DSML)
Extensible Storage Engine (ESE)
The Active Directory database engine. ESE (Esent.dll) is an improved version of the Jet database that is used in Microsoft
Exchange Server versions 4.x and 5.5. It implements a transacted database system, which means that it uses log files to
ensure that committed transactions are safe.
A security solution which segregates one portion of a network from another portion, allowing only authorized network traffic to
pass through according to traffic filtering rules.
A group of one or more Active Directory trees that trust each other. All trees in a forest share a common schema,
configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All
trees in a given forest trust each other through transitive bidirectional trust relationships. Unlike a tree, a forest does not need
a distinct name. A forest exists as a set of cross-referenced objects and trust relationships known to the member trees. Trees
in a forest form a hierarchy for the purposes of trust.
 Global Catalog (GC)
The global catalog contains a partial replica of every Windows 2000 /Windows 2003 domain in the directory. The GC lets
users and applications find objects in an Active Directory domain tree, given one or more attributes of the target object. It also
contains the schema and configuration of directory partitions. This means the global catalog holds a replica of every object in
the Active Directory, but with only a small number of their attributes. The attributes in the global catalog are those most
frequently used in search operations (such as a user’s first and last names, logon names, and so on), and those required to
locate a full replica of the object. The GC allows users to find objects of interest quickly without knowing what domain holds
them and without requiring a contiguous (a single logical directory tree, as opposed to a set of directory trees) extended
namespace in the enterprise. The global catalog is built automatically by the Active Directory replication system.
Global Catalog server
A Windows 2000 / Windows 2003 domain controller that holds a copy of the global catalog for the forest.
Globally Unique Identifier (GUID)
A 16-byte value generated from the unique identifier on a device, the current date and time, and a sequence number. A GUID
is used to identify a particular device, component, user, or session.
A collection of users, computers, contacts, and other groups. Groups can be used as security or as email distribution
collections. Distribution groups are used only for email. Security groups are used both to grant access to resources and as
email distribution lists.
Group memberships
The groups to which a user account belongs. Permissions and rights granted to a group are also provided to its members. In
most cases, the actions a user can perform in Windows are determined by the group memberships of the user account to
which the user is logged on.
 Group Policy object (GPO)
A logical concept that is used to represent a single collective set of computer and/or user policies. It is given a unique name,
such as a globally unique identifier (GUID). A GPO can be associated with one or more Active Directory containers, such as a
site, domain, or organizational unit. Multiple containers can be associated with the same GPO, and a single container can
have more than one associated GPO.
In addition, by default every computer receives a local Group Policy object (LGPO) that contains only security-specific
policies. It is also possible for the administrator to set and apply different local group policies on individual computers. This is
useful for computers that are not members of a domain, or computers that the administrator wishes to exempt from Group
Policy inherited from the domain.
Hierarchical namespace
Any namespace that is hierarchically structured and provides rules that allow the namespace to be partitioned. Both the DNS
namespace and the Active Directory namespace are examples of a hierarchical namespace.
A single cumulative package composed of one or more files used to address a problem in a product. Hotfixes address a
specific customer situation and may not be distributed outside the customer organization. The terms QFE, patch and update
have been used in the past as synonyms for hotfix.
A security system that authenticates users. Kerberos doesn’t provide authorization to services or databases; it establishes
identity at logon, which is used throughout the session. The Kerberos protocol is the primary authentication mechanism in the
Windows 2000 and Windows 2003 operating systems.
 Knowledge Consistency Checker (KCC)
A built-in service that runs on all domain controllers and automatically establishes connections between individual machines in
the same site. These are known as Windows 2000 and Windows 2003 Directory Service connection objects. An administrator
may establish additional connection objects or remove connection objects. At any point, however, where replication within a
site becomes impossible or has a single point of failure, the KCC will step in and establish as many new connection objects as
necessary to resume Active Directory replication.
ldp.exe is a graphical user interface (GUI) tool for general administration of a Lightweight Directory Access Protocol (LDAP)
directory service.
A command-line tool for importing and exporting directory contents to and from Active Directory / ADAM, such as schema
definitions and directory objects, that are stored as LDAP Data Interchange Format (LDIF) files.
Lightweight Directory Access Protocol (LDAP)
An industry-standard protocol established by the Internet Engineering Task Force (IETF) that allows users to query and
update information in a directory service. LDAP is the primary access protocol for Active Directory; Active Directory supports
both LDAP version 2 and LDAP version 3.
Microsoft Digest
A security support provider (SSP) that implements the Digest Access protocol. Microsoft Digest provides a simple challenge-
response mechanism for authenticating clients, and it is intended for use by client/server applications that use
communications that are based on Hypertext Transfer Protocol (HTTP) or Simple Authentication and Security Layer (SASL).
 Mixed mode
Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed
mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000
features are disabled. In mixed mode, the domain may have Windows NT 4.0 backup domain controllers present. Nested
groups are not supported in mixed mode.
 Multi-master replication (in Active Directory)
A feature of Active Directory that provides and maintains copies of the directory across multiple servers in a domain. Since all
replicas of a given directory partition are writable, updates can be applied to any replica of a given partition. The Active
Directory replication system propagates the changes from a given replica to all other replicas. Replication is automatic and
Active Directory multi-master replication propagates every object (such as users, groups, computers, domains, organization
units, security policies, and so on) created on any domain controller to each of the other participating domain controllers. If
one domain controller in a domain slows or fails, other domain controllers in the same domain can provide the necessary
directory access because they contain the same directory data.
 Multi-master replication (in ADAM)
A feature of Active Directory Application Mode that provides and maintains copies of the directory across multiple servers in a
configuration set. Since all replicas of a given configuration set are writable, updates can be applied to any replica of a given
partition in a replication set. The Active Directory Application Mode replication system propagates the changes from a given
replica to all other replicas. Replication is automatic and transparent.
Active Directory Application Mode multi-master replication propagates every object created on any ADAM instance to each of
the other participating ADAM instances that span a replica set. If one ADAM instance slows or fails, other ADAM instances in
the same replica set can provide the necessary directory access because they contain the same directory data.
A name, or group of names, that is defined according to some naming convention; any bounded area in which a given name
can be resolved. Active Directory is primarily a namespace, as is any directory service. A telephone directory is also a
namespace. The Internet uses a hierarchical namespace that partitions names into categories known as top-level domains
such as .com, .edu, and .gov, which are at the top of the hierarchy.
Name resolution
The process of translating a name into some object or information that the name represents. A telephone book forms a
namespace in which the names of telephone subscribers can be resolved into telephone numbers. The Windows NTFS file
system forms a namespace in which the name of a file can be resolved into the file itself. Similarly, Active Directory forms a
namespace in which the name of an object in the directory can be resolved into the object itself.
 Native mode
When all the domain controllers in a given domain are running Windows 2000 or when all the domain controllers in a given
domain are running Windows Server 2003. This mode allows organizations to take advantage of Active Directory features
such as Universal groups, nested group membership, and inter-domain group membership.
Network Service account
A predefined local account that is used to start a service and provide the security context for that service. The name of the
account is NT AUTHORITY\NetworkService. The Network Service account has limited access to the local computer and
authenticated access (as the computer account) to network resources.
A distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. The
attributes hold data describing the thing that is identified by the directory object. Attributes of a user might include the user’s
given name, surname, and e-mail address.
Object identifier (OID)
A number that identifies an object class or attribute. Object identifiers (OIDs) are organized into an industry-wide global
hierarchy. An object identifier is represented as a dotted decimal string, such as, with each dot representing a new
branch in the hierarchy. National registration authorities issue root object identifiers to individuals or organizations, who
manage the hierarchy below their root object identifier.
 Organizational unit (OU)
A container object that is an Active Directory administrative partition. OUs can contain users, groups, resources, and other
OUs. Organizational units enable the delegation of administration to distinct sub-trees of the directory.
Parent-child trust relationship
The two-way, transitive trust relationship that is established when you add a domain to an Active Directory tree. The Active
Directory installation process automatically creates a trust relationship between the domain you are creating (the new child
domain) and the parent domain.
A complete unit of replication within the store.
See also: application partition, configuration partition, directory partition, schema partition
Authorization to perform operations associated with a specific shared resource, such as a file, directory, or printer.
Permissions must be granted by the system administrator to individual user accounts or administrative groups.
Relative Distinguished name (RDN)
The part of the name of an object that is an attribute of the object itself. The attribute that provides the RDN for an object is
referred to as the naming attribute.
 Remote Procedure Call (RPC)
A communication mechanism that allows computers to communicate with one another over a network. An RPC consists of a
procedure identifier, parameters passed to the procedure, and a value returned to the caller (client computer) after the
procedure has executed on the remote system (server computer).
In Active Directory replication, one instance of a logical Active Directory partition that is synchronized by means of replication
between domain controllers that hold copies of the same directory partition.
In database management, the function that keeps distributed databases synchronized by routinely copying the entire
database or subsets of the database to other servers in the network. There are several methods of replication, including
primary site replication, shared or transferred ownership replication, symmetric replication, (also known as update-anywhere
or peer-to-peer replication), and failover replication.
The Active Directory schema contains the definitions for all objects in the directory. Every new directory object created is
validated against the appropriate object definition in the schema before being written to the directory. The schema is made up
of object classes and attributes. The base (or default) schema contains a rich set of object classes and attributes to meet the
needs of most organizations, and is modeled after the International Standards Organization (ISO) X.500 standard for directory
services. Because it is extensible, you can modify and add classes and attributes to the base schema.
Schema partition
The schema directory partition holds the definitions for the type of data that can be held by the directory store. Both the Active
Directory and ADAM services rely on the definitions in their respective schema partitions for maintaining data consistency. In
addition, applications can refer to the schema partition to determine the type of data that the Active Directory forest or the
ADAM instance allows. The schema can be extended to allow Active Directory and ADAM to hold data that is specific to a
particular application.
Schema cache
An in-memory copy of the schema on the domain controller. To improve performance on schema operations (such as new
object validation), each domain controller holds a copy of the schema in memory (in addition to the copy it holds on disk). This
cached version is automatically updated (after a small time interval) each time you update the schema. Additionally, you can
reload the updated schema to cache manually for immediate effect.
 Secure Sockets Layer (SSL)
A protocol that provides secure data communication through data encryption. This protocol enables authentication, integrity,
and data privacy over networks through a combination of digital certificates, public-key cryptography, and bulk data
encryption. This protocol does not provide authorization or non-repudiation.
Security context
The security attributes or rules that are currently in effect. For example, the rules that govern what a user can do to a
protected object are determined by security information in the user's access token and in the object's security descriptor.
Together, the access token and the security descriptor form a security context for the user's actions on the object.
 Security descriptor
A structure and associated data that contains the security information for a securable object. A security descriptor identifies
the object's owner and primary group. It can also contain a discretionary access control list (DACL) that controls access to the
object, and a system access control list (SACL) that controls the logging of attempts to access the object.
Security Identifier (SID)
A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a
unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the
account's user or group name.
Security package
The software implementation of a security protocol. Security packages are contained in security support provider dynamic-link
libraries (DLLs) or in security support provider/authentication package DLLs.
Security principal
The term security principal refers to any object that has a security identifier (SID) and that can be assigned permissions to
directory (and all MS Windows securable) objects. A security principal can be a user, group, service, or computer.
Security protocol
A specification that defines security-related data objects and rules about how the objects are used to maintain security on a
computer system.
Security Support Provider (SSP)
A dynamic-link library (DLL) that implements the Security Support Provider Interface (SSPI) by making one or more security
packages available to applications. Each security package provides mappings between an application's SSPI function calls
and an actual security model's functions. Security packages support security protocols such as Kerberos and NTLM.
 Security Support Provider Interface (SSPI)
A common interface between transport-level applications, such as Microsoft Remote Procedure Call (RPC), and security
support providers (SSPs), such as Windows Distributed Security. SSPI allows a transport application to call one of the SSPs
to obtain an authenticated connection. These calls do not require extensive knowledge of the security protocol's details.
 Service Account
An account (either a local Windows account or a domain account) in whose security context a service runs on a Windows
 Service Principal Name (SPN)
A way of referring to a service principal. SPN structures generally follow Internet Engineering Task Force (IETF) naming
conventions, and they often include the name of the computer on which the service is running. SPNs may be used to request
Kerberos tickets, and they are required for mutual authentication.
 Simple Authentication and Security Layer (SASL)
An open framework, described in Request for Comments (RFC) 2222, for adding authentication support to connection-based
 Single-master operations
Active Directory operations that are single-master, that is, not permitted to occur at different places in the network at the same
time. Examples of these operations include relative identifier (RID) allocation, schema modification, and certain infrastructure
A location in a network holding Active Directory servers. A site is defined as one or more well connected TCP/IP subnets.
Well-connected means that network connectivity is highly reliable and fast (LAN speeds, 10 MM bits-per-second or greater).
Sites play a major role in the Active Directory replication service, which differentiates between replication using a local
network connection (intra-site replication) and replication over a slower wide area network (WAN) link (inter-site replication).
Administrators use the Active Directory Sites and Services Manager snap-in to administer replication topology for both intra-
and inter-site replication.
 Site Link
An object in Active Directory that contains information about the link between two Active Directory sites. Information contained
in a site-link includes such information as what connections are available, which ones are preferred, and how much bandwidth
is available. Active Directory uses this information to choose times and connections for replication that will afford the best
The act of synchronizing data between two or more logically connected data stores.
  Transitive trust
The trust relationship that inherently exists between Windows 2000 and/or Windows Server 2003 domains in a domain tree or
forest, or between trees in a forest, or that can exist between forests. When a domain joins an existing forest or domain tree, a
transitive trust is automatically established. Transitive trusts are always two-way relationships. This series of trusts, between
parent and child domains in a domain tree and between root domains of domain trees in a forest, allows all domains in a
forest to trust each other for the purposes of authentication. For example, if domain A trusts domain B and domain B trusts
domain C, then domain A trusts domain C.
A set of Windows NT /2000/2003 domains connected together through transitive, bidirectional trust, sharing a common
schema, configuration, and global catalog. The domains must form a contiguous hierarchical namespace such that if is
the root of the tree, is a child of, is a child of, and so on.
Sufficient connectivity to make your network and Active Directory useful to clients on your network. The precise meaning of
the term is determined by your particular needs.
A set of standards defining a distributed directory service, developed by the International Standards Organization (ISO).

To top