Active Directory Users and Computers

It is very important to note that in an Active Directory network, computers and users are the most important Objects types which are nothing but the logical depiction of the real end users and systems that are configured to a domain present within an organization. The key aspect of Active Directory service is it facilitates individual accounts to users and computers for administrative ease. Adding to that it also facilitates a safe substantiation and authorization. Consequently, in order to deal with user and computer accounts, it is very important to make use of Active Directory Users and Computers snap-in console.

Now, usually AD user authentication is done in order to verify the individuality of all the Active Directory users who log on to a domain. The key advantage of having an authentication is it permits user to connect and make use of resources such as data, shares, system libraries, applications, devices, etc. present at anyplace within the network.

Usually, AD user authorization is offered in order to secure the resources of a network from illegal and unwanted access. The user accounts are authenticated to further give permit to access rights to users that majorly depends upon the access control permissions connected to various objects.

Some of the common terminologies that are majorly used with User and computer accounts nowadays are mentioned as below:

• User rights: User rights can be both logon rights and privileges assigned to users and groups.
• Access Control Permissions: Permissions such as Write, Read, No Access, etc are assigned to each and every single object as well as to the properties of object.
• Access tokens: An access token is established every time a user logs in and represents user accounts. In general, it consists of three prime elements, viz., Individual SID, User Rights and Group SID. An access token is not updated until the next user logon.
• SIDs: In a Windows Server system, SID is a unique security code that identifies a specific user, group or computer.
  • Individual SID: Represents a logged on user
  • Group SID: Represents a logged on user's group membership.
• Access Control List (ACL): Every Active Directory object is associated with the following two ACLs:
  • Discretionary Access Control List (DACL): It consists of a list that mentions all user accounts, groups, and computers which are either allowed or denied access to the object.
  • System Access Control List (SACL): It majorly defines the events which are audited for a group or a user.
• Access Control Entry (ACE): Every SACL or DACL includes a list of ACEs, which further hold permissions that are further granted or denied to users, groups and computers included in the list in the DACL or SACL. The ACE list consists of a SID in addition to the relevant permission like Write access.

Very similar to the user accounts, Active Directory computer accounts are provided with authentication and authorization in order to review the access of all the computers present within a network. Readers, note that Active Directory Users and Computers together are also referred as Security Principles since the operating system frequently implements definite security for these entities. Security Principles are mainly directory objects which are assigned automatically SIDs (Security IDs) upon creation. Objects that feature an applicable SID can log on to the network and access existing domain resources easily and instantly.

Each and every User and Computer account is assigned with a Group Policy in the form of Group Policy Objects (GPO). The group policy configuration settings are related to different Organizational units, domains and sites which actually feature user and computer accounts. Whenever a Group Policy is applied to a container, there is always a two possibility. It may either affect all the constituent objects or a particular set of objects. Group Policies assist in configuring options for security, managing and organizing applications and desktop appearance, allocating scripts and transferring folders from local computers to network systems. The Group Policies are applied to users at some point in their logon time and to computers during their boot time.