A Guide to the Active Directory Security Model

Active Directory's security model secures and protects every object stored in Active Directory, including domain user accounts and domain computer accounts, domain security groups and group policies. The Active Directory Security model allows administrators to specify who has what access to which object to a high degree of control. It also allows administrators to specify access for an entire group of users so as to simply security management.

 

The following is an overview of how Active Directory's security model protects stored content –

  1. Each object is protected by a component known as a Security Descriptor

  2. Each security descriptor contains amongs other compronents, an Access Control List (ACL)

  3. Each ACL contains one or more Access Control Entries (ACEs)

  4. Each ACE allows or denies specific security permissions to some security principal

  5. Security groups can be specified and be part of security groups

  6. ACEs can be explicit or inherited; explicit ACEs override inherited ACEs

  7. Access is specified in the form of low–level technical permissions

  8. These low-level permissions can be standard permissions, or special permissions such as extended rights or validated writes

  9. Active Directory's current object visibility mode impacts list access requests

  10. The access check takes into account the object's ACL and the user's token and determines resultant access for user on the object

In this manner, Active Directory's security model secures and protects Active Directory content.