Security

In the current release, Windows NT account information is stored in a secure portion of the Registry on Domain Controllers. Using domain trust and pass-through authentication, a two-level hierarchy of domains provides a degree of flexibility for organizing account management and resource servers. Within a domain, however, accounts are maintained in a flat name space with no internal hierarchical organization.

The next generation of Windows NT security uses the Windows NT Directory Services as the repository for account information. The Directory Service provides significant improvements over the Registry-based implementation in the areas of performance, scalability, and feature-rich administrative environment.

Advantages of Directory Service Account Management

The advantages of integrating security account management with the Windows NT Directory Service are:

• Accounts for users, groups, and machines can be organized into directory containers called Organizational Units (OUs). A domain can have any number of OUs organized in a tree-structured name space. Businesses can organize the name space for account information to represent the departments and organizations in the company. User accounts, as well as OUs, are directory objects that can easily be renamed within the domain tree as people move to different departments in the organization.
• The Directory Service supports a much larger number of user objects (well over a million objects) with better performance than the Registry. Individual domain size is no longer limited by performance of the security account repository. A tree of connected Windows NT domains can support much larger, complex organization structures.
• Administration of account information is enhanced using advanced graphical tools for Directory Service management as well as through Active Directory support for scripting languages. Common tasks can be implemented using batch scripts to automate administration.
• Directory replication services support multiple copies of account information where updates can be made at any copy, not just the designated Primary Domain Controller. The LDAP protocol and directory synchronization support provides the mechanism to link the Windows NT directory with other directories in the enterprise.

Storing the security account information in the Windows NT Directory Service means users and groups are represented as objects in the Directory. Read and write access to objects in the Directory can be granted to the object as a whole, or to individual properties of the object. Administrators have fine-grain control over who can update user or group information. For example, a Telecom operator group can be granted write access to only user account properties related to office telephone equipment without requiring full Account Operator or Administrator privileges.

The concepts of groups is also simplified because local and global groups are both represented by group objects in the directory. Existing programming interfaces for local group access are still supported for complete backward compatibility. However, groups defined in the directory can be used for domain-wide access control to resources or only for 'local' administration purposes on the domain controller.