Active Directory

Previous page
Table of content
Next page

Active Directory

Active Directory can be installed on servers running members of the Windows 2000 Server and Windows Server 2003 families. Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

This data store, or directory, contains information about Active Directory objects. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts.

Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage and organize directory data throughout their network, and authorized users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.

Active Directory also includes the following:

  • A set of rules (or schema) that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names.

  • A global catalog that contains information about every object in the directory. This catalog allows users and administrators to find directory information regardless of which domain in the directory actually contains the data.

  • A query and index mechanism, so that objects and their properties can be published and found by network users or applications.

  • A replication service that distributes directory data across a network. All domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.

Accounts

Active Directory user accounts and computer accounts represent a physical entity such as a computer or person. User accounts can also be used as dedicated service accounts for some applications.

User accounts and computer accounts (as well as groups) are also referred to as security principals. Security principals are directory objects that are automatically assigned security identifiers (SIDs), which can be used to access domain resources. A user or computer account is used to do the following:

  • Authenticate the identity of a user or computer

    A user account in Active Directory enables a user to log on to computers and domains with an identity that can be authenticated by the domain. Each user who logs on to the network should have their own unique user account and password. To maximize security, you should avoid multiple users sharing one account.

  • Authorize or deny access to domain resources

    When the user is authenticated, the user is authorized or denied access to domain resources based on the explicit permissions assigned to that user on the resource.

  • Administer other security principals

    Active Directory creates a foreign security principal object in the local domain to represent each security principal from a trusted external domain.

  • Audit actions performed using the user or computer account

    Auditing can help you monitor account security.

You can manage user accounts with the Active Directory Users and Computers snap-in. Each user account must be unique.

Every computer running Windows NT, Windows 2000, Windows XP, or a server running Windows Server 2003 that joins a domain has a computer account. Similar to user accounts, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources. Each computer account must be unique.

User and computer accounts can be added, disabled, reset, and deleted using the Active Directory Users and Computers snap-in. A computer account can also be created when you join a computer to a domain.

Dial-In Properties of an Account

In Windows 2000 and Windows Server 2003, user and computer accounts for an Active Directory based server contain a set of dial-in properties that are used when allowing or denying a connection attempt. On an Active Directory based domain, you can set the dial-in properties on the Dial-In tab for the user and computer account in the Active Directory Users and Computers snap-in. Figure 4-31 shows the Dial-In tab for a user account in a Windows 2000 native or Windows Server 2003 functional level domain.

figure 4-31 the dial-in tab of a user account.

Figure 4-31. The Dial-In tab of a user account.

From the Dial-In tab, you can view and configure the following:

  • Remote Access Permission (Dial-In Or VPN)

    You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are also used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. The Control Access Through Remote Access Policy option is available only on user and computer accounts in a Windows 2000 native or Windows Server 2003 functional level domain.

    New accounts that are created for a Windows 2000 native or Windows Server 2003 functional level domain are set to Control Access Through Remote Access Policy. New accounts that are created in a Windows 2000 mixed functional level domain are set to Deny Access.

  • Verify Caller-ID

    If this property is enabled, the access server verifies the caller s phone number. If the caller s phone number does not match the configured phone number, the connection attempt is denied. This setting is designed for dial-in connections.

  • Callback Options

    If this property is enabled, the access server calls the caller back during the connection process. Either the caller or the network administrator sets the phone number that is used by the server. This setting is designed for dial-in connections.

  • Assign A Static IP Address

    You can use this property to assign a specific IP address to a user when a connection is made. This setting is designed for dial-in connections.

  • Apply Static Routes

    You can use this property to define a series of static IP routes that are added to the routing table of the server running the Routing and Remote Access service when a connection is made. This setting is designed for demand-dial routing.

NOTE
Dial-in properties for computer accounts in Windows 2000 Active Directory domains are available only after Windows 2000 SP3 or later is installed on domain controllers.

Groups

A group is a collection of user and computer accounts, contacts, and other groups that can be managed as a single unit. Users and computers that belong to a particular group are referred to as group members. Using groups can simplify administration by assigning a common set of permissions and rights to many accounts at once, rather than assigning permissions and rights to each account individually.

Groups can be either directory-based or local to a particular computer. Active Directory provides a set of default groups upon installation, and also allows the option to create groups.

Groups in Active Directory allow you to do the following:

  • Simplify administration by assigning permissions on a shared resource to a group, rather than to individual users. This assigns the same access on the resource to all members of that group.

  • Delegate administration by assigning user rights once to a group through Group Policy and then adding necessary members to the group that you want to have the same rights as the group.

Groups have a scope and type. Group scope determines the extent to which the group is applied within a domain or forest. Active Directory defines universal, global, and domain local scopes for groups. Group type determines whether a group can be used to assign permissions from a shared resource (for security groups) or whether a group can be used for e-mail distribution lists only (for distribution groups).

More Info
For more information about the types of groups, group scope, and domain functional levels, see Windows Server 2003 Help and Support or http://www.microsoft.com/windowsserver2003/technologies/activedirectory/default.mspx.

Nesting allows you to add a group as a member of another group. You nest groups to consolidate member accounts and reduce replication traffic. Nesting options depend on whether the functionality of your Windows Server 2003 domain is set to the Windows 2000 native or Windows 2000 mixed functional level.

When you have decided how to nest groups based on your domain functional level, organize your wireless access user and computer accounts into the appropriate groups. For a Windows 2000 native or Windows Server 2003 functional level domain, you can use universal and nested global groups. For example, create a universal group named WirelessUsers that contains global groups of wireless user and computer accounts for intranet access. Then you need only to specify that group name when you create your remote access policy with IAS.


Previous page
Table of content
Next page
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Programming Microsoft ASP.NET 3.5
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy