In the current release, Windows NT account information is stored in a secure portion of the Registry on Domain Controllers. Using domain trust and pass-through authentication, a two-level hierarchy of domains provides a degree of flexibility for organizing account management and resource servers. Within a domain, however, accounts are maintained in a flat name space with no internal hierarchical organization.
The next generation of Windows NT security uses the Windows NT Directory Services as the repository for account information. The Directory Service provides significant improvements over the Registry-based implementation in the areas of performance, scalability, and feature-rich administrative environment.
The advantages of integrating security account management with the Windows NT Directory Service are:
Storing the security account information in the Windows NT Directory Service means users and groups are represented as objects in the Directory. Read and write access to objects in the Directory can be granted to the object as a whole, or to individual properties of the object. Administrators have fine-grain control over who can update user or group information. For example, a Telecom operator group can be granted write access to only user account properties related to office telephone equipment without requiring full Account Operator or Administrator privileges.
The concepts of groups is also simplified because local and global groups are both represented by group objects in the directory. Existing programming interfaces for local group access are still supported for complete backward compatibility. However, groups defined in the directory can be used for domain-wide access control to resources or only for 'local' administration purposes on the domain controller.