Windows 2000 Active Directory Objects

Default Containers

Within the Active Directory Users and Computers tool on a Windows 2000 Domain Controller, you will see the following container objects :

Built-In - The Built-In container includes all of the starndard groups that are installed dy default when promoting a domain controller. These groups are used for administering the servers in your environment. Examples include the Administrators group, Backup Operators, and Print Operators.
Computers - By default, the Computers container contains a list of workstations in your domain. From here, you can manage all the computers in your domain.
Domain Controllers - This container includes a list of all domain controllers in the domain.
Foreign Security Principals - Security principals are Active Directory objects to which permissions can be applied. Foreign Security Principals are any objects to which security can be assigned and that are not part of the current domain.
Users - The Users container includes all of the security accounts that are part of the domain. Upon DC promotion, there will be serveral groups in this container. For example, the Domain Admins group and the Administrator account are created in this container.
Advanced View: System - The System folder provides a list of some additional features that can be configured to work with the Active Directory. For example, you can configure settings for the Distributed File System (DFS), IP Security policies, the File Replication Service, and more.
Advanced View: LostAndFound - The LostAndFound folder contains any files that may not have been replicated properly between domain controllers. You should check this folder periodically for any files so that you can decide whether you need to move them or copy them to other locations.

AD Users and Groups

Groups can contain up to 5,000 members. A Users primary group (such as domain users) is not stored in the group membership list. An Access Token, assigned to a user at domain logon can contain up to 1,024 groups.

Global Groups:

Use to organize users by job function and similar network access requirements.
Can only contain member from the domain in which it exists.
Can contain other global groups (in native mode).
Visible from all trusted domains throughout the forest.
Use to grant permissions to resources located in ANY domain within the forest.

Universal Groups:

Use Universal groups to consolidate groups that span multiple domains.
Use for permissions for all domains in the forest.
Can contain member from any domain througout the forest.
Can contain Global groups and other universal groups.
Exists in the Global Catalog (so don't directly add users, add groups).
Visible from all trusted domains throughout the forest.
Not available in mixed mode.

Domain Local Groups:

Can contain members from any domain througout the forest.
Can only grant permissions to resources where the group is created.
Don't use for AD permission assignment on objects.
Can contain Global groups from any domain throughout the forest.
Can contain other Domain Local groups from the same domain in which it is created (in native mode).
Use to assign permissions to resources in domain where created.
Only visible in domain in which it was created.

Group users into Global groups by similar job function and network access requirements. Grant access to resources with Domain Local Groups and put the needed Global groups into the Domain Local Group. Nest Global groups from each domain in one Universal group. Add Universal group to Domain Local groups that are created for resource access.

Domain Local Group SECDLG has read permission to the secret folder. No other group does. The Global Group SECGG is a "Member Of" the Domain Local Group SECDLG, therefore users who need to access the secret folder should be "Member Of" the Global Group SECGG.

AD Object Properties

A Security Principal contains:

DACL - Identifies "security principals" that are allowed or denied access and the level of access or deny.
SACL - Controls how object access will be audited. The SACL only exists if auditing of some type is implemented on the object.
SID - A unique Security IDentifier for objects. The SID is never reused even if the object in which it was assigned is deleted.

A Security Descriptor is a binary data structure within the Access Control List (ACL) of a securable object.

	DACL/SACLstruct(header,owners,primaryGroupSID,DACL[],SACL[])

The [] in DACL and SACL is an array of Access Control Entries (ACEs). The ACE structure is:

	ACEstruct(SID,AllowDeny,operationsAllowDeny,inheritance,ACETypeFlag)

Example user: User Name

User Principle Name (UPN) or User logon name = usern@domain.com
"user" is UPN prefix, "domain.com" is UPN suffix.

Distinguished Name (DN) = cn=User Name,ou=hr,dc=domain,dc=com
	objectClass = user
	sAMAccountName = usern@domain.com
	displayName = User Name
	userAccountControl = (enabled)? 512 : 514

An Administrator can take ownership of an AD Object, but an Administrator
cannot transfer ownership of an AD object.

If a member of the Administrators group takes ownership of an AD object, the
default owner is the group, not the individual administrator.

The Owner information for an object is accessible on the Owner tab of the
Advanced options, accessible from the Security tab.

Publishing AD Objects

     Two of the most commonly used resources in a networked environment are server file shares and printers. These are commonly known as File/Print Servers.

     An important aspect of managing Active Directory objects is that a systems administrator can control which objects users can see. The act of making an Active Directory object available is known as publishing. The two main publishable objects are Printers and Shared Folders.

     The process of creating server shares and shared printers has generally remained unchanged. With Active Directory, there is an additional step: Publishing the object. You can also publish Windows NT 4 resources through the Active Directory.

     The use of Active Directory Objects offers systems administrators the ability to change the resource to which the object points without having to reconfigure or even notify clients. For example if a share was moved to another server or share name, the object would be updated and the clients who access the share will still point to the object, which has the updated path.

     Without the Active Directory, Windows NT 4 shares and printers are only accessible through the use of NetBIOS naming. If you are planning to disable NetBIOS naming and multi-segemented WINS scheming, you must be sure that these NT 4 resources have been published in the Active Directory as AD objects.

Publishing Printers

     Create a printer with the usual printer creation method. Share the printer as "printerx". In the properties of "printerx", on the sharing tab, the check box labeled "List in the Directory" allows the printer to be published in Active Directory for searching capabilities.

     Every Windows 2000 Printer Server that is a member of a domain, or is a domain controller, automatically publishes it's printers in Active Directory once the printer has been shared.

     Note that when you create and share a printer this way, an Active Directory Printer object is not displayed in AD Users and Computers. The printer is actually associated with the Computer object which it was shared from. The Printer objects in AD are manually created for sharing printers from Windows NT 4 and other legacy printer resources.

When manually publishing printers for NT4 and 9x machines, you can use AD Users and Computer or a script file named system32\pubprn.vbs.

PUBPRN.VBS: Publish a specific printer:
	pubprn.vbs \\SERVER\PRINTER LDAP://ou=managers,dc=domain,dc=com

PUBPRN.VBS: Publish all printers:
	pubprn.vbs \\SERVER LDAP://ou=managers,dc=domain,dc=com

Publishing Shared Folders

Create a shared folder with the usual share creation method. Share the folder from the properties / sharing tab. Open the Active Directory Users and Computers tool. Expand current domain, right-click an OU, select New -> Shared Folder. From here, type in a name for the shared folder and the UNC path to the share.

Once you have created and published a shared folder, clients can use the "My Network Places" icon to find this object. It will be organized within the OU in which you placed the shared folder object in Active Directory.

Computer objects can be created and deleted using the Active Directory Users
and Computers tool, but they cannot be renamed.

Organizational Units (OUs)

     The logical structure of the Active Directory consists of containers, domains, and organizational units (OUs). A container is an AD object that holds other AD objects. Domains and OUs are examples of container objects.

     Each domain can consist of multiple Organizational Units (OUs), logically organized in a hierarchical structure. OUs may contain users, groups, security policies, computers, printers, file shares, and other Active Directory objects.

     The primary purpose of Organizational Units (OUs) it to logically group Active Directory objects, just as their name implies. They serve as containers within which other Active Directory objects can be created. OUs can contain the following types of Active Directory objects:

User Objects
Group Objects
Computer Objects
Shared Folders
Other Organizational Units

The Benefits of Organizational Units are:

OUs are the smallest unit to which you can assign permissions.
The OU structure can be easily changed as opposed to the domain structure.
The OU structure can support many different levels of hierarchy.
OU settings can be inherited by child objects.
Administration of OUs and their objects can be easily delegated to appropriate Users and Groups.

Objects within an OU are refered to as "Security Principals".

The maximum length for the name of an OU is 65 characters.

If you need to move an entire OU structure between domains, you can use the
MOVETREE command available in the Windows 2000 Resource Kit.

AD Objects and the AD Database

Deleting Objects

     When an object is deleted from Active Directory, most of the object's attributes are removed, the object is moved to the Deleted Objects folder, and then the object is tombstoned. A tombstone lifetime is the time between when the object was deleted and the time in which the object is actually removed from the database. The default tombstone lifetime is 60 days.

     You can move and rename objects within the Active Directory. Deleting an Active Directory object is an irreversible action. When an object is destroyed, any security permissions or other settings made for that object are removed as well. Since each object within Active Directory contains its own security identifier (SID), simply re-creating an object with the same name will not place any permissions on it, the permissions are assigned to the SID, not the name.

Garbage Collection

     Garbage collection is a process that runs on domain controllers every 12 hours (by default). The garbage collection process deletes expired or tombstoned objects and defragments the Active Directory database file NTDS.DIT.

     Defragmentation rearranges database records into contiguous sectors in the Active Directory Database file NTDS.DIT. This allows for faster read access and less disk activity. The garbage collection process performs an online defrag. An online defrag only defragments the database. An offline defrag defragments the database and compacts it. An offline defrag is done manually in Directory Services Restore Mode.

Configuring Garbage Collection and Tombstone Lifetime

     Use ADSI Edit to connect to configuration container on the domain controller. Go to Configuration\ Services\ WindowsNT\ Directory Service\ properties. From the "Select which properties to view" box, scroll down to "garbageCollPeriod" and "tombstoneLifetime". The default setting is <not set>.