Information Technology Reference
In-Depth Information
The following basic types of Active Directory objects serve as security principals:
User Accounts
User accounts identify individual users on your network by including
information such as the user's name and their password. User accounts are the fundamental
unit of security administration.
Groups
There are two main types of groups:
security groups
and
distribution groups
.
Both types can contain user accounts. System administrators use security groups to ease
the management of security permissions. They use distribution groups, on the other hand,
solely to send email. Distribution groups are not security principals. You'll see the details of
groups in the next section.
Computer Accounts
Computer accounts
identify which client computers are members
of particular domains. Because these computers participate in the Active Directory
database, system administrators can manage security settings that affect the computer.
They use computer accounts to determine whether a computer can join a domain and for
authentication purposes. As you'll see later in this chapter, system administrators can also
place restrictions on certain computer settings to increase security. These settings apply
to the computer and, therefore, also apply to any user who is using it (regardless of the
permissions granted to the user account).
Note that other objects, such as organizational units (OUs), do not function as security
principals. What this means is that you can apply certain settings (such as Group Policy)
on all of the objects within an OU; however, you cannot specifically set permissions with
respect to the OU. The purpose of OUs is to organize other Active Directory objects
logically based on business needs, add a needed level of control for security, and create an
easier way to delegate.
You can manage security by performing the following actions with security principals:
■
You can assign them permissions to access various network resources.
■
You can give them user rights.
■
You can track their actions through auditing (covered later in this chapter).
The major types of security principals—user accounts, groups, and computer accounts—
form the basis of the Active Directory security architecture. As a system administrator, you
will likely spend a portion of your time managing permissions for these objects.
It is important to understand that since a unique SID defines each security
principal, deleting a security principal is an irreversible process. For exam-
ple, if you delete a user account and then later re-create one with the same
name, you'll need to reassign permissions and group membership settings
for the new account. Once a user account is deleted, its SID is deleted.
Users and groups are two types of fundamental security principals employed for security
administration. In the following sections, you'll learn how users and groups interact. You'll
also learn about the different types of groups you can create.
Search WWH ::
Custom Search