Operating System
Active Directory Users, Computers, and Groups
White Paper
Abstract
In the Microsoft® Windows® 2000 operating system, the Active Directory™ service provides user and computer accounts and distribution and security groups. The operating system integrates user, computer, and group security with the Windows 2000 security subsystem as a whole. This paper introduces administrators unfamiliar with Windows 2000 to the way users, computers, and groups are organized and how user authentication and authorization are used to provide security.
© 2000 Microsoft Corporation. All rights reserved.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Microsoft, Active Desktop, BackOffice, the BackOffice logo, MSN, Windows, and WindowsNT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other product and company names mentioned herein may be the trademarks of their respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA
02/00
Contents
Introduction 1
Concepts 1
Active Directory User and Computer Accounts 4
User Accounts 4
Predefined User Accounts 4
Computer Accounts 5
Security Principals 5
Group Policy Applied to User and Computer Accounts 5
Active Directory Groups 7
Group Type: Security or Distribution 8
Distribution Groups 8
Security Groups 8
Group Scope: Local, Domain Local, Global, or Universal 9
Groups with Local Scope 10
Groups with Domain Local Scope 10
Groups with Global Scope 11
Groups with Universal Scope 12
Group Scope and Replication Traffic 13
How Domain Mode Affects Groups 13
Mode Determines Whether You Can Convert Group Types 13
Mode Affects Security and Distribution Groups Differently 13
Mode Governs Nesting Options 14
Changing to Native Mode Impacts Groups 14
Windows 2000 Built-in, Predefined, and Special Groups 15
Groups on Standalone Servers and Windows 2000 Professional 15
User Authentication 16
Interactive Logon 16
Network Authentication 17
Using Certificates to Authenticate External Users 18
User Authorization 20
User Rights: Assigned to Groups 20
Access Control Permissions: Attached to Objects 21
Security Descriptors 21
Object Ownership 22
Object Auditing 23
Object Permissions and Inheritance 23
Object Types, Managers, and Tools 23
SUMMARY 25
For More Information 25
Appendix A: Built-in, Predefined, and
Special Groups 27
Appendix B: User Rights 29
Introduction
A great part of network administration involves management of users, computers, and groups. A successful operating system must ensure that only properly authenticated users and computers can logon to the network and that each network resource is available only to authorized users. In the Microsoft® Windows® 2000 operating system, the Active Directoryä service plays several major roles in providing security. Among these roles are the efficient and effective management of user logon authentication and user authorization. Both are central features of the Windows 2000 security subsystem and both are fully integrated with Active Directory.
Active Directory user authentication confirms the identity of any user trying to log on to a domain and lets users access resources (such as data, applications, or printers) located anywhere on the network. A key feature of Windows 2000 user authentication is its single sign-on capability, which makes multiple applications and services available to the user over the network without the user having to provide credentials more than once.
Active Directory user authorization secures resources from unauthorized access. After a user account has received authentication and can potentially access an object, the type of access actually granted is determined by what user rights are assigned to the user and which access control permissions are attached to the objects the user wishes to access. An object is a distinct, named set of attributes, and includes shared resources such as servers, shared volumes, and printers; network user and computer accounts; as well as domains, applications, services, and security policies.
This paper describes Windows 2000 users, computers, and groups from the perspective of security, with an emphasis on the security issues of authentication and authorization. The following sections cover these topics:
· Active Directory User and Computer Accounts
· Active Directory Groups
· User Authentication
· User Authorization
For security topics not covered in this paper and for information about the structure of Active Directory (including Active Directory objects, domains, trees, forests, trusts, organizational units, and sites), see the section “For More Information” at the end of this document.
Concepts
The following definitions will help you understand the basic concepts that are used throughout the paper:
· User rights are assigned to groups (or users). User rights include both privileges (such as Back Up Files and Directories) and logon rights (such as Access this Computer from Network).
· Access control permissions (such as Read, Write, Full Control, or No Access) are attached to Windows 2000 objects. In the case of Active Directory objects, access control can be defined not only for each object in the directory but also for each property of each object. (For a list of all object types, see the section “Object Types, Managers, and Tools.”)
· Access token. Each time a user logs on, Windows 2000 creates an access token. The access token is a representation of the user account and contains the following elements:
o Individual SID. Security identifier (SID) representing the logged-on user
o Group SIDs. SIDs representing the logged-on user’s group memberships
o User Rights. Privileges (associated with each SID) granted to the user or to groups to which the user belongs
When the user tries to access an object, Windows 2000 compares each SID in the user’s access token to entries in an object's discretionary access control list (DACL) to determine whether the user has permission to access the object and, if access is allowed, what type of access it is. In some cases, user rights in the user’s token may override the permissions listed in the DACL and access may be granted that way.
An access token is not updated until the next logon, which means that if you add a user to a group, the user must log off and log on before the access token is updated.
· Security identifier (SID). A SID is a code that uniquely identifies a specific user, group, or computer to the Windows 2000 security system. A user’s own SID is always attached to the user’s access token. When a user is made a member of a group, the SID for that group is also attached to the user's access token.
· Access Control List (ACL). Each Active Directory object (as well as each file, registry key, and so on) has two associated ACLs:
o DACL. The discretionary access control list (DACL) is a list of user accounts, groups, and computers that are allowed (or denied) access to the object.
o SACL. The System Access Control List (SACL) defines which events (such as file access) are audited for a user or group.
· Access Control Entry (ACE). A DACL or SACL consists of a list of Access Control Entries (ACEs), where each ACE lists the permissions granted or denied to the users, groups, or computers listed in the DACL or SACL. An ACE contains a SID with a permission, such as Read access or Write access. Windows 2000 combines access permissions—if you have Read access to an object because you are a member of Group A and if you have Write access because you are a member of Group B, you have both Read and Write access to the object. However, if you have No Access as a member of Group C, you will not have access to the object.
Figure 1 shows how a user’s access token and an object’s DACL let the user (in this case) access the object. When the user, Adam, requests access to the payroll file object, Windows 2000 compares each SID in Adam’s access token to each ACE in the DACL to see if access is explicitly denied to Adam or to any group to which Adam belongs. It then checks to see if the requested access is specifically permitted. Windows repeats these steps until it encounters a No Access or until it has collected all the necessary permissions to grant the requested access. If the DACL does not specifically allow permission for each requested access, access is denied.
Figure 1. User authentication creates an access token for the user. The access token contains the user’s primary SID, together with the SIDs of any groups to which the user belongs. This user is authorized to access this domain resource, a payroll file.
Active Directory User and Computer Accounts
The Windows 2000 operating system uses a user or computer account to authenticate the identity of the user or computer and to authorize or deny access to domain resources. For example, users who are members of the Enterprise Administrators group are, by default, granted permission to log on at any domain controller in the Active Directory forest. Administrators can audit actions performed by user or computer accounts.
You add, disable, reset, or delete user and computer accounts using the Active Directory Users and Computers tool.
This section covers the following topics:
· User Accounts
· Computer Accounts
· Security Principals
· Group Policy Applied to User and Computer Accounts
User Accounts
A user requires an Active Directory user account to log on to a computer or to a domain. The account establishes an identity for the user; the operating system then uses this identity to authenticate the user and to grant him or her authorization to access specific domain resources.
User accounts can also be used as service accounts for some applications. That is, a service can be configured to log on (authenticate) as a user account, and it is then granted access to specific network resources through that user account.
Predefined User Accounts
Windows 2000 provides the following two predefined user accounts[1]:
· Administrator account
· Guest account
You can use these accounts to log on locally to a computer running Windows 2000 and to access resources on the local computer. These accounts are designed primarily for initial logon and configuration of a local computer. The Guest account is disabled and you must enable it explicitly if you want to allow unrestricted access to the computer. The Administrator account is the most powerful account because it is a member of the Administrators group by default. This account must be protected with a strong password to avoid the potential for security breach to the computer.
To enable the Windows 2000 user authentication and authorization features, you create an individual user account for each user who will participate on your network. Then add each user account—including the Administrator and Guest accounts—to Window 2000 groups, and assign appropriate rights and permissions to each group.
Computer Accounts
Like user accounts, Windows 2000 computer accounts provide a means for authenticating and auditing the computer's access to the network[2] and its access to domain resources. Each Windows 2000 computer to which you want to grant access to resources must have a unique computer account.
Computers running Windows 98 and Windows 95 do not have the advanced security features of those running Windows 2000 and Windows NT, and they cannot be assigned computer accounts in Windows 2000 domains. However, you can log on to a network and use Windows 98 and Windows 95 computers in Active Directory domains.
Security Principals
Active Directory user and computer accounts (as well as groups, covered later) are referred to as security principals, a term that emphasizes the security that the operating system implements for these entities. Security principals are directory objects that are automatically assigned SIDs when they are created. Objects with SIDs can log on to the network and can then access domain resources.
If you establish a trust relationship between a domain in your Windows 2000 forest and a Windows 2000 domain external to your forest, you can grant security principals from the external domain access to resources in your forest. To do so, add external security principals to a Windows 2000 group, which causes Active Directory to create a “foreign security principal” object for those security principals[3]. You can make foreign security principals members of domain local groups (covered later). You cannot manually modify foreign security principals, but you can see them in the Active Directory Users and Computers interface by enabling Advanced Features.
Group Policy Applied to User and Computer Accounts
In the Windows 2000 operating system environment, you can associate Group Policy configuration settings with three Active Directory containers—organizational units (OUs), domains, or sites. Group Policy settings associated with a given container either affect all users or computers in that container, or they affect specified sets of objects within that container. You can use Group Policy to configure security options, manage applications, manage desktop appearance, assign scripts, and redirect folders from local computers to network locations. The system applies group policy to computers at boot time or to users when they log on. (You can also set the group policy refresh interval policy for users or computers; the default refresh interval for both users and computers is 90 minutes.)
Here are three examples of using group policy settings:
· Set the minimum password length and the maximum length of time that a password remains valid for an entire domain.
· Assign logon and logoff scripts to the user accounts in each organizational unit.
· Specify which applications are available to users when they log on.
For detailed information about Group Policy, see “For More Information.”
Active Directory Groups
Groups are Active Directory (or local computer) objects that can contain users, contacts, computers, and other groups. In Windows 2000, groups are created in domains, using the Active Directory Users and Computers tool. You can create groups in the root domain, in any other domain in the forest, in any organizational unit, or in any Container class object (such as the default Users container). Like user and computer accounts, groups are Windows 2000 security principals; they are directory objects to which SIDs are assigned at creation.