Active Directory Data Storage

Previous Topic Next Topic

Object-Based Security

A fundamental relationship exists between Active Directory and the security services that are included with Windows 2000. Active Directory stores domain security policy information that has direct bearing on the use of the system, such as domain-wide password restrictions and system access privileges. In addition, Windows 2000 implements an object-based security model and access control for all objects in Active Directory. Each object in Active Directory is associated with a unique security descriptor that defines the access permissions that are required to read or update the object properties. Permissions can be assigned at the property level.

Security Identifiers

Each security principal (user, group, and computer, as well as the domain itself) has a SID, which is the property (objectSid) that authoritatively identifies the object to the security system. The SID of a user, group, or computer is derived from the SID of the domain to which the object belongs; this SID is the same as the SID of the domain except that it has one extra 32-bit component called the relative identifier.

Security Descriptors

In Windows 2000, a security descriptor is associated with each object. The security descriptor defines the access control information that is associated with the object. Security descriptors include the following:

Default Object Security

When an object is created in Active Directory, its security descriptor can be specified manually by the object creator. If no security descriptor is specified, a default security descriptor is applied to the object. The default security descriptor is computed according to the following rules:


note-icon

Note

An object manager is different from an object's owner. Each object type has an object manager that handles creation of the object. Active Directory is the object manager for directory objects. NTFS is the object manager for file system objects.

For more information about how access control, access tokens, security principals, and security descriptors are used by the security subsystem, see "Access Control" in this book.

© 1985-2000 Microsoft Corporation. All rights reserved.