NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Understanding Active Directory Objects

What you’ll learn:

Active Directory (AD) is a directory service introduced by Microsoft as a centralized network resource management system. This network is comprised of entities that represent real users or network resources, and the entities are called as Active Directory objects. AD objects can be of several types based on what they represent and their function. In this article, we shall understand what AD objects are, learn about the different types of objects in AD, and see how the objects get their properties.

What are Active directory objects?

Active Directory (AD) objects are the building blocks of an Active Directory network. AD objects are entities that represent a resource such as users, computers, or printers that are a part of the AD network. Each object is defined by a set of information about them. These pieces of information are called as object attributes. For example, a user object’s attributes would have their full name, telephone number, address, and more. These attributes are used to identify or search for objects in the AD network using LDAP queries. Each object type has a pre-defined set of attributes associated with it. These attributes are defined by what are called as object classes. You can learn more about object attributes here.

What are object classes?

Every Active Directory network would have what is called a schema. A schema is essentially a database of what attributes each type of object should have in an AD forest. It is a blueprint that gives a skeletal structure for the objects, based on which the objects would be created. Object classes are a part of the schema. Think of it as a template for the objects. Object classes define the attributes that each object should have. There are three types of object classes framed in a hierarchical order: abstract, structural, and auxiliary.

  •  Abstract class: An abstract class is a top-level class that contains other abstract or structural classes. It defines only the basic attributes of an object.
  •  Structural class: A structural class is the main component that defines an object and what attributes it should have. A structural class always comes under an abstract class or another structural class.
  •  Auxiliary class: Auxiliary class contain additional attributes that the other classes can inherit from. These attributes are usually ones that the other classes don’t want to define, but can inherit whenever necessary. Auxiliary classes can be sub classes of an abstract class, or other auxiliary classes.

How can objects be identified in the AD network?

When objects are created in Active Directory, each of them are assigned a 128-bit unique value to them .This value is called as a global unique identifier (GUID). Objects in the network can be identified using their GUID. Among all the objects, there is a special category of objects called as security principals. These objects are those that can be authenticated by an operating system. Users, computers, and groups are security principals. These security principals, apart from having a GUID, are also assigned another unique identifier called as a security identifier (SID). This unique identifier is not assigned to any other object other than users, groups, or computers. SIDs act like security clearances for security principals within the network.

Types of objects in Active Directory

There are two types of AD objects, which are:

  1.  Container objects: These objects can contain other objects within them. Groups and organizational units (OUs) are examples of container objects.
  2.  Leaf objects: Leaf objects cannot contain other objects. These objects are only representations of resources in the AD network. Users, computers, and printers are examples of leaf objects.

Various objects in Active Directory

The following are some of the common kinds of objects in an AD network:

  •  User: A user object represents a user account of an individual who needs access to resources in an AD network. The user account has a user name and is authenticated using a password to prevent unauthorized individuals from accessing the network’s resources. Active Directory has two types of user accounts namely:
    •  Administrator account: a full-fledged permanent account that has higher privileges for administrative purposes
    •  Guest account: a temporary account that has limited access to resources and limited permissions
  •  Computer: A computer object represents a work station or a server computer in the AD network.
  •  Contact: A contact object contains contact information of people who are associated with but not a part of the organization. For example, vendors, service technicians, etc.
  •  Group: A group object is a container object that contains users, computers, and other groups. Groups are used to manage AD permissions where all the objects within a group will inherit the permissions assigned to the group.
  •  Organizational Unit (OU): An organizational unit is also a container object that can contain users, computers, groups, or shared folders. OUs are used for organizational purposes, manage resources within an organization, and delegate control among objects within the OU.
  •  Printer: A printer object represents a printer resource in an AD network
  •  Shared folder: A shared folder object is a pointer for a specific shared folder that points towards where the folder in question is located. The pointer does not contain any data from the folder.

Difference between groups and organizational units

It can be quite confusing to distinguish between groups and OUs as both are container objects on the surface level. However, there are key differences in the purposes of these two objects.

Groups are used to assign and control permissions to objects within the groups. Groups can also be added to access control lists (ACL) which define the permissions for the objects that are added to it.

Organizational units, as the name suggests, are used to organize AD objects. This organization using OUs is used for activities such as deploying configuration changes or delegating roles. OUs are handy when an administrator wants to delegate administrative roles to a few objects but not give complete administrative access.

One thing to note is that OUs can contain groups and other OUs. However, while groups can contain other groups as sub-groups, they cannot contain OUs within them.

Another key difference is that groups have security identifiers (SID) while OUs don’t have SIDs. An SID is a unique identification value assigned to security principals (users, computers, and groups). Security principals are objects that can be authenticated by a system. Think of SIDs as a security clearance for the objects within the AD network. 

Related posts
Active Directory Fundamentals

Creating objects in active directory

Active Directory Fundamentals

Active Directory Objects List

Active Directory Fundamentals

Framework of Active Directory

Active Directory Fundamentals

Active Directory Trusts

Leave a Reply

Your email address will not be published. Required fields are marked *