Windows NT account information is maintained today using a secure portion of the Registry on Domain Controllers. Using domain trust and pass-through authentication, a two-level hierarchy of domains provides some flexibility for organizing account management and resource servers. Within a domain, however, accounts are maintained in a flat name space with no internal organization.
The next version of Windows NT security uses the Windows NT Directory Services as the repository for account information. The Directory Services provides significant improvements over the Registry-based implementation in the areas of performance, scalability, and feature-rich administrative environment.
The following diagram shows the hierarchical structure for a tree of Windows NT Domains, and the hierarchical name context within each domain using Organizational Units (OUs) as directory object containers.
Figure 1: Hierarchical structure of the Windows NT Directory Service