Introduction

Previous page
Table of content
Next page

The three most common types of objects you'll need to manage in an Active Directory forest include users, groups, and computers. You'll need to create user objects to represent the employees, customers, or students in your environment. It is important to understand how to properly configure and automate the management of user objects so you can cut down on much of the day-to-day tasks required to support these objects.

A group is a simple concept that has been used in many different types of systems over the years. In generic terms, a group is just a collection of things. Groups are used most frequently in a security context whereby you set up a group of users and apply certain permissions or rights to that group. Using a group is much easier when applying security than using individual users because you have to apply the security only once instead of once per user.

In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member. Active Directory groups can be used for many different purposes including controlling access to resources, defining a filter for the application of group policies, and as an email distribution list.

The scope and type of a group defines how the group can be used in a forest. The type of a group can be either security or distribution. Security groups can be used to restrict access to resources whereas distribution groups can be used only as a simple grouping mechanism. Both group types can be used as email lists. The scope of a group determines where members of the group can be located in the forest and where in the forest you can use the group in ACLs. The supported group scopes include universal, global, and domain local. Universal groups and domain local groups can have members that are part of any domain in the forest. Global groups can only have members that are part of the same domain the group is in.

As far as Active Directory is concerned, computers are very similar to users. In fact, computer objects inherit directly from the user object class, which is used to represent user accounts. That means computer objects have all of the attributes of user objects and then some. Computers need to be represented in Active Directory for many of the same reasons users do, including the need to access resources securely, utilize GPOs, and have permissions granted or restricted on them.

To participate in a domain, computers need a secure channel to a domain controller. A secure channel is an authenticated connection that can transmit encrypted data. To set up the secure channel, a computer has to present a password to a domain controller. The domain controller then verifies that password against the password stored in Active Directory with the computer's account. Without the computer object, and subsequently the password stored within it, there would be no way for the domain controller to verify a computer is what it claims to be.


Previous page
Table of content
Next page
Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen
BUY ON AMAZON
C++ How to Program (5th Edition)
Introduction to 80x86 Assembly Language and Computer Architecture
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy