Active Directory
Domain controller
A Windows server that holds a copy of the Active Directory database.
Active Directory
A centralized database that contains user account and security information.
Group Policy Object (GPO)
A collection of policy settings that are stored in Active Directory.
Forest
A collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.
Organizational Unit (OU)
A container (similar to a folder) that subdivides and organizes other OUs, users, groups, and computers within a domain.
Domain Controller
A domain controller is a Windows server that holds a copy of the Active Directory database. A domain controller is a member of only one domain. A domain can contain multiple domain controllers. Each domain controller holds a copy of the Active Directory database. Any domain controller can make changes to the Active Directory database. Replication is the process of copying changes made to the Active Directory database between all of the domain controllers in the domain.
Domain
A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure. Database information is replicated (shared or copied) within a domain. Security settings are not shared between domains. Each domain maintains its own set of relationships with other domains. Domains are identified using DNS names. The common name is the domain name itself. The distinguished name includes the DNS context or additional portions of the name.
Tree
A group of related domains that share the same contiguous DNS namespace.
Group Policy Facts
A policy is a set of configuration settings applied to users or computers. Group policies allow the administrator to apply multiple settings to multiple objects within the Active Directory domain at one time. Collections of policy settings are stored in a Group Policy Object (GPO).
Policy
A set of configuration settings applied to users or computers.
GPOs contain hundreds of configuration settings that can be configured. The following table describes common settings you should be familiar with.
Account Policies, Local Policies/Audit Policy, Local Policies/User Rights Assignment, Local Policies/Security Options, Registry, File System, Software Restriction Policies, Administrative Templates
Administrative Templates
Administrative templates are registry-based settings that can be configured within a GPO to control the computer and the overall user experience, such as: Use of Windows features such as BitLocker, Offline files and Parental Controls. Customize the Start menu, taskbar, or desktop environment. Control notifications. Restrict access to Control Panel features. Configure Internet Explorer features and options.
User Account Control (UAC) helps minimize the dangers of unwanted actions or unintended software installations. UAC prompts for permission before allowing changes that can affect your computer's security or performance
Always notify, Notify me only when apps try to make changes to my computer (default), Notify me only when apps try to make changes to my computer (do not dim my desktop), Never notify
Domain
An administratively defined collection of network resources that share a common directory database and security policies.
Organizational Unit (OU)
An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit: Is a container object Can contain other OUs or any type of leaf object (e.g., users, computers, and printers) Can be used to logically organize network resources Simplifies security administration.
Each GPO has a common structure and hundreds of configuration settings that can be enabled and configured. Settings in a Group Policy object are divided into two categories:
Computer Configuration and User Configuration
Local Policies/User Rights Assignment
Computer policies include a special category of policies called user rights
The GPO includes registry settings, scripts, templates, and software-specific configuration values.
GPOs can be linked to Active Directory domains, organizational units (OUs), and containers.
Active Directory is a centralized database that contains user account and security information.
In a workgroup environment, authentication, security, and management all take place on each individual computer, with each device independently storing information about users and configuration settings.
Built-in Containers
Like OUs, generic built-in containers are used to organize Active Directory objects. However, built-in container objects have several differences: They are created by default. They cannot be created, moved, renamed, or deleted. They have very few editable properties.
Administrators
Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The Administrator user account and any other account designated as a "computer administrator" is a member of this group.
Backup Operators
Members of the Backup Operators group can back up and restore files (regardless of permissions), log on locally, and shut down the system. Members of this group cannot change security settings.
Cryptographic Operators
Members of the Cryptographic Operators group are allowed to perform cryptographic operations.
Event Log Readers
Members of the Event Log Readers group are allowed to use Event Viewer to read the system's event logs.
Guests
Members of the Guests group have limited rights (similar to members of the Users group). Members can shut down the system.
Hyper-V Administrators
Members of the Hyper-V Administrators group are allowed to use Hyper-V on the system to create and manage virtual machines.
Network Configuration Operators
Members of the Network Configuration Operators group have limited administrative privileges to allow them to manage the system's network configuration.
Performance Log Users
Members of the Performance Log Users group are allowed to schedule logging of performance counters, enable trace providers, and collect event traces on the system.
Performance Monitor Users
Members of the Performance Monitor Users group can access performance counter data on the system.
Remote Desktop Users
Members of the Remote Desktop Users group are allowed to access the system remotely using the Remote Desktop Client.
Users
Members of the Users group can use the computer but cannot perform system administration tasks and might not be able to run some legacy applications.
Power Users
Modern versions of Windows no longer use the Power Users group, although it still exists for backwards compatibility. This group was originally used in Windows XP and earlier.
Trees and Forests
Multiple domains are grouped together in the following relationship: A tree is a group of related domains that share the same contiguous DNS namespace. A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.
Local Policies/Security Options
Security Options allow you to apply or disable rights for all users the Group Policy applies to.
User policies are enforced for specific users. User policy settings include:
Software that should be installed for a specific user. Scripts that should run at logon or logoff. Internet Explorer user settings (such as favorites and security settings). Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree) . User policies are initially applied as the user logs on and often customize Windows-based user preferences.
Computer policies (also called machine policies) are enforced for the entire computer and are applied when the computer boots. Computer policies are in effect regardless of the user logging into the computer. Computer policies include:
Software that should be installed on a specific computer. Scripts that should run at startup or shutdown. Password restrictions that must be met for all user accounts. Network communication security settings. Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree). Computer policies are initially applied as the computer boots and are enforced before any user logs on.
Account Policies
Use Account Policies to control the following: Password settings. Account lockout settings. Kerberos settings"
Local Policies/Audit Policy
Use Audit Policy settings to configure auditing for events such as log on, account management, or privilege use.
File System
Use File System policies to configure file and folder permissions that apply to multiple computers. For example, you can limit access to specific files that appear on all client computers.
Software Restriction Policies
Use software restrictions policies to define the software permitted to run on any computer in the domain
Objects
Within Active Directory, each resource is identified as an object. Common objects include: Users, Groups, Computers. You should know the following about objects: Each object contains attributes (i.e., information about the object, such as a user's name, phone number, and email address) which are used for locating and securing resources. Active Directory uses DNS for locating and naming objects. Container objects hold other objects, either other containers or leaf objects.
Objects
Within Active Directory, users, groups, and computers, each resource is identified as an object.
Registry
You can use registry policies to: Configure specific registry keys and values. Specify if a user can view and/or change a registry value, view sub-keys, or modify key permissions.
