Active Directory and User Administration
Active Directory Domain Services AD DS is Microsoft’s implementation of a directory service that provides centralized authentication and authorization services. AD DS provides a powerful directory service to centrally store and manage security principals, such as users, groups, and computers, and it offers centralized and secure access to network resources.
AD DS is one of the most important server roles in Windows Server 2008. It provides the basis for authentication and authorization for virtually all other server roles in Windows Server 2008 and is the foundation for Microsoft’s Identity and Access Solutions. Additionally, a number of enterprise products, including Exchange Server and Windows SharePoint Services, require AD DS.
An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.
Active Directory plays an important role in the future of Windows networking. Administrators must be able to protect their directory from attackers and users, while delegating tasks to other administrators where necessary. This is all possible using the Active Directory security model, which associates an access control list (ACL) with each container, object, and object attribute within the directory.
This high level of control allows an administrator to grant individual users and groups varying levels of permissions for objects and their properties. Administrators can even add attributes to objects and hide those attributes from certain groups of users. For example, the administrator could set the ACL’s such that only managers can view the home phone numbers of other users. Non-managers would not even know that the attribute existed.