Active Directory
1/8
1/14
This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Back
Next
Restart
2/14
Active directory is a software developed by Microsoft for the management of multiple users and computer resources. It is primarily used in Windows servers, and allows network administrators to categorize and delegate permissions with ease using things called ‘forests’.
Students
Accounting
Domains are collections of users and computers that are categorized with different permissions and settings. These Domains, when contained in the same active directory, make up what is called a Tree. With all of the domains linked to the same active directory, trusts will be automatically applied to them as well as any new changes or settings.
Interns
New
Contractors
4/14
Admins
3/14
Domains are collections of users and computers that are categorized with different permissions and settings. These Domains, when contained in the same active directory, make up what is called a Tree. With all of the domains linked to the same active directory, trusts will be automatically applied to them as well as any new changes or settings.
Jolene
Bob
Debra
The users and computers within these domains, are linked to one another, and have access to each other’s resources permitted they have the right credentials. The users and computers may also be in multiple domains at the same time, as they may have multiple permissions or qualifiers.
5/14
Dennis
Some domains have different active directories, with only one domain. Sticking with the forest metaphor, it helps to think of these as bushes or saplings as they are still considered to be trees and part of the forest.
6/14
Domain
Trees can are linked to each other by trusts, giving domains access to even more resources. Think of it as an intertwining root system. Every tree, domain, user and computer within the forest also share the same schema. Imagine it as the earth in which every tree and plant is buried. The schema defines what type of objects can exist within the active directory and what the rules regarding them are. Remember, some plants can only grow in certain types of soil.
7/14
Schema
Usernames
Passwords
Properties
When changes are made to the schema, they are replicated to every domain and tree throughout the forest. This is akin to how water soaks through the soil to feed the root system of a forest.
Privileges
8/14
With all these domains, trees, users, and computers linked together, it makes it significantly easier for administrators and people with proper permissions to edit and update the server with ease.
9/14
People with Permissions
Now that we know the structure of an active directory, lets discuss its capabilities in greater detail. There are 5 different services that the active directory is capable of; domain services, certificate services, lightweight directory services, directory federation services, and rights management.
10/14
Domain
Services
Certificate
Services
Lightweight Directory
Services
Directory Federation
Services
Rights
Management
Domain
Services
Domain services stores and communicates data between domains, users, and trees. It also performs login authentication and search functionality.
Certificate services creates, manages and distributes secure certificates. These certificates allow users access to and utilization of various programs and assets within a network.
No, not LAPD…
Lightweight
Directory
Services
Lightweight Directory services use LDAP…
LDAP which stands for “Lightweight Directory Access Protocol.” This is a directory that gives access to the active directory over the internet and is open protocol, meaning that it can be stored in any type of machine. The LDAP has a hierarchy comprised of 6 different levels; The root Directory, Countries, Organizations, Divisions (or Departments), Individuals, and Individual resources like printers and files.
Organizations
Individual Resources
Individuals
Countries
Root Directory
Divisions
Directory
Federation
Services
Next we have Directory Federation Services, which grants the user Single-Sign-On(or SSO for short). SSO gives the user the ability to be authenticated on multiple applications simultaneously.
Rights
Management
Lastly, we have Rights Management, which provides protection for copyrighted materials by keeping out unauthorized users and prevents distribution of data.
Centralized Resources and Security Administration
How can I help you?
Pros
The most useful thing about active directory, is that it has all of its resources in one, well structured, organizational model. This allows management and security policies to be easily implemented across multiple domains.
SSO
With the single sign on we talked about earlier, it makes it vastly easier for users to access resources wherever they may be.
Simplified Resource Location
Active directory provides a location for files and resources to be published and searched for with ease. This allows users to be able to find the resources they desire quickly and easily.
11/14
Lastly, its exceedingly easy, when granting permissions, to give some users in a domain or tree credentials that they are not supposed to have. This can be avoided using a careful hand when doling out permissions.
Granting
Permissions
Inactive
Accounts
Having administrators is important, but having too many of them can be a potential problem. Having so many people with such dominion over the directory can cause data leaks through privilege abuse. Its important to keep the amount of individuals with total power over the directory to a minimum.
Inactive accounts are another problem caused by excess. These accounts are leftover from users long past, and are quite easy to ignore. These accounts may seem harmless, but if an attacker gains access to one that has higher authority, they can gain access to vital data within the active directory. So admins should make sure that old accounts are deleted as soon as they are no longer required.
Security Threats
Passwords are important in every facet of cyber security, and active directory is no exception. This is especially important for users with higher credentials. If an administrator loses their login information to an attacker, the entirety of the network can be accessed and changed by the attacker.
Vulnerable
Passwords
13/14
Too Many
Administrators
Windows Centric
With great convenience, comes an even greater price tag. The software and upkeep for Active directory can be pretty expensive, not to mention the cost of the physical servers and computers themselves.
Cons
Cost
With active directory, a Windows centric workplace is essential. You’ll often times find problems integrating or accessing Active directory with cross platform computers.
Eggs in One Basket
With having active directory to keep track of all your assets and be your network, if it goes down, there goes ability to do just about anything. Not to mention it can make for one big target when it comes to attacks from hackers.
12/14
14/14
Active directory is a useful and effective method of creating a network structure and hierarchy. It’s easy to use and comes with prebuilt assets to help with its setup and use. This convenience is at the cost brand loyalty and potential security concerns, but if dealt with in a careful manner, it can more than pay off.