Upload
beverly-hamilton
View
217
Download
0
Embed Size (px)
Citation preview
Active Directory
Travis FavorsRyan ManuelRobert Rayer
Active Directory
Contains information of all objects in an organization’s network.
Arranges Objects into logical, hierarchical groups.
Provides permissions based on stored information.
Authentication
Attributes
Characteristics and Information that belong to an object
Can be required or optional
Objects
Entities of the network
Composed of attributes
Example Objects: User, Printer, Shared Folder
Object Classes
Contains a list of associated attributes
Blueprint for object creation
Schema
Master List of all object classes
Defines all objects and attributes available for an object
Identifies the relationships between all objects
SchemaSchema
User
name
department
Printer
name
location
Shared Folder
name
description
Object ClassesAttributes
Access Control
Used to manage user access to shared resources
Administered at object level by setting permissions
Examples: Full control, write, read and no access
Permissions are set to shared objects
Shared objects are objects that is intended to be used over a network by more than one user
Three elements define access control permissions
Security Descriptors
Permissions are stored in security descriptors
Security Descriptors contain two access control lists
Discretionary Access Control List (DACL)
System Access Control List (SACL)
User Authentication
User’s Access Token
Subject
User SID
Group SIDs
List of Privileges
Other Access Information
Object’s Security Descriptor
Object
Object Owner SID
Group SID
ACEACEACE
SACL
ACEACEACE
DACL
Active Directory also authenticates and authorizes users, groups, and computers to access objects on the network
The Local Security Authority (LSA) is responsible for all user authentication
LSA generates two pieces of information after a user’s identity is confirmed
Object Inheritance
OU
OU
OU
Parent Object
Child Object
Child Object
Objects inherit permissions from their parent container when they’re created
Object inheritance can be turned off
Workgroups
All Computers are peers. There is no host.
User accounts aren’t shared.
No more than 20 computers at once.
Not protected by authentication
All computers must be on the same local network/subnet.
Domains
Servers as hosts/admins
Easy to apply sweeping policy changes
Users must provide authentication to access
User accounts can access any computer on the domain
Enforce consistency
Borderline limitless capacity
Distributed across multiple networks
Organizational Units
Organize and segregate groups of a domain
Smallest unit where group policy can be enforced
Useful for representing the logical hierarchy of an organization
Can be nested
Reduces need for multiple domains to some degree
Allows for granular delegation of administrative authority
Trees
Domain trees are collections of domains with a hierarchal structure.
Domains controlled by other domains are child domains, and the controlling domain is the parent domain.
Forests
Complete instance of Active Directory
Contains all Domain Trees, including their domains and organizational units
The first, highest-level domain in a Forest is called the Forest Root Domain
Trust Relationships
Extend security across multiple domains
Allow access to data and storage locations on other domains
“Transitive” trust relationships extend trust from the trusted domain to all of that domain’s trusted domains, whereas “Nontransitive” do not.