Active Directory Data Storage

Object-Based Security

A fundamental relationship exists between Active Directory and the security services that are included with Windows 2000. Active Directory stores domain security policy information that has direct bearing on the use of the system, such as domain-wide password restrictions and system access privileges. In addition, Windows 2000 implements an object-based security model and access control for all objects in Active Directory. Each object in Active Directory is associated with a unique security descriptor that defines the access permissions that are required to read or update the object properties. Permissions can be assigned at the property level.

Security Identifiers

Each security principal (user, group, and computer, as well as the domain itself) has a SID, which is the property (objectSid) that authoritatively identifies the object to the security system. The SID of a user, group, or computer is derived from the SID of the domain to which the object belongs; this SID is the same as the SID of the domain except that it has one extra 32-bit component called the relative identifier.

Security Descriptors

In Windows 2000, a security descriptor is associated with each object. The security descriptor defines the access control information that is associated with the object. Security descriptors include the following:

The header, which contains control flags and pointers to the four parts of the security descriptor.
The owner, which is a SID that indicates what user or group owns the object. The owner of an object has some inherent rights to the object.
The primary group, which is a SID that is present for POSIX compliance.
The discretionary access control list (DACL), which contains a list of access control entries that define who does and does not have specific types of access to the object. A DACL is controlled by the owner of the object. The owner can grant this control to others.
The system access control list (SACL), which contains a list of system access control entries that specify audit and alarm message generation when particular subjects attempt specific types of access to the object. SACL is controlled by security administrators (who are, by default, members of the Administrators group).

Default Object Security

When an object is created in Active Directory, its security descriptor can be specified manually by the object creator. If no security descriptor is specified, a default security descriptor is applied to the object. The default security descriptor is computed according to the following rules:

The Owner usually is assigned by default. If the creator's access token contains a default owner, the default is set as the "owner." Otherwise, the user SID of the object's creator is assigned. The only case in which the owner is not the user SID of the creator of the object is when the creator is a member of the Domain Administrators group. In that case, the default owner is set to the Domain Administrators group SID. Thus, all objects that are created by an administrator are owned by all members of the Domain Administrators group.
The Primary group is usually assigned by default. If the creator's access token contains a default primary group, this default group is set as the primary group. Otherwise, a NULL SID is assigned.
DACL is assigned as a new object's DACL if an explicit (not inherited) DACL is provided. The parent container's DACL is checked for any inheritable access control entries. If one is found, the inherited DACL is merged with the explicit DACL as the new object's DACL. If an explicit DACL is not provided, the default DACL that is provided by the Active Directory schema, if any, is used. If no default DACL is provided by Active Directory, the creator's access token is checked for a default DACL. If a default DACL is found in the owner's access token, it is assigned as the new object's DACL. If there is no default DACL in the creator's access token, no DACL is assigned to the new object. In this case, unconditional access is granted to everyone.
SACL is assigned as being any explicit SACL that is provided. The parent container's SACL is checked for any inheritable access control entries. If inheritable access control entries are found, the inherited SACL is merged with the explicit SACL as the new object's SACL. If an explicit SACL is not available, the default SACL that is provided by the Active Directory schema, if any, is used. If no default SACL is provided by Active Directory, no SACL is assigned.

Note

An object manager is different from an object's owner. Each object type has an object manager that handles creation of the object. Active Directory is the object manager for directory objects. NTFS is the object manager for file system objects.

For more information about how access control, access tokens, security principals, and security descriptors are used by the security subsystem, see "Access Control" in this book.