April 10, 2013

Understanding Active Directory Containers

Containers of various types are the building block of an Active Directory infrastructure. Some are built-in, while others are fully customized. It is important to know about all the different active directory containers when planning any network infrastructure.

Overview
Active Directory is a directory service that is used to store information about various network resources and nodes throughout a domain. It aids in administration by providing centralized management of the network. Directory services like Active Directory essentially catalogue information about objects on the network. For example, if you wanted to know what group Jane was a part of, and what access that group has to the Accounting department files, all of that information can be obtained and used in Active Directory.

Active Directory treats all parts of the network as objects. Objects come in three distinct flavors: Resources (printers, network storage, etc), Users (individual user accounts and user groups), and Services (email, etc.). Objects can also contain other objects - in fact this is the main infrastructure of Active Directory. It is heirarchical. Objects that contain other objects are called Containers, and objects that can contain no other objects (such as an individual user) are called leaf objects or leaves.

Containers are an integral part of the Active Directory system. Some container objects are created by default when you promote the first Domain controller (see, promoting a domain controller). Others are created by the administrator for logical grouping, setting permissions, and other reasons. Let's take a look at the different kinds of container objects.

Default Container Objects
There are several container objects that are installed by default when you promote the first domain controller on your network. When you promote the DC, Active Directory installs for the first time, and these containers are created. They differ from manually created containers because their object attribute type is literally named a container. They don't have the same properties as other generic Active Directory containers (such as sites, domains, and OUs). You cannot delete them nor can you create new objects of that container object type. You can also not associate Group Policy Objects with these. These containers are:

Computers - All member servers in the domain are placed, by default, in the Computers container. Additionally, all workstations joined to the domain also appear in this container.

Users - Much like how Computers and Servers joined to the domain are auto-dumped into the Computers container, Users of all levels are automatically placed inside the Users container.

Builtin - Builtin does much what its name implies. It is the container that stores default groups, such as Backup Operators, Server Operators, and Group Policy Creator Owners. These groups are preconfigured with permissions to perform specific tasks that administrators will often make use of.

ForeignSecurityPrincipals - Controls and displays "trust" relationships with other domains.

Generic and Created Container Objects
In addition to the aforementioned default and special containers, there are three major types of containers that are configured manually and are considered "generic". In contrast to the above containers, these are most often used to link group policy objects. When you link a group policy to a container it enforces that policy on all the objects (be it users, computers, nested groups, etc.) inside. Let's look at these types of containers:

Site - A site is actually a physical grouping of objects based upon IP Addresses. A site cannot span multiple physical locations, but rather emcompasses network objects and devices in one area. For example, the Thneed company has offices in Seattle, Los Angeles, and Miami. Each office is a physical location, and therefore is considered a "site". The site container is a logical representation of what is physically true.

Domain - The domain container holds all of the other objects that are a part of that domain. You can link a GPO to a domain object if you want to enforce a specific rule upon the domain as a whole. This makes centralized management a true reality.

Organizational Unit - Organizational Units are nothing fancy. They are simple a container that the administrator creates that he can use for any purpose. Most administrators will create logical organizational units and place users and/or groups inside them in order to setup specific permissions or policy. For example, he may create an organizational unit called "Accounting" and place the executives and the accounting department into it in so that they can have access to specific resources that are not available to the rest of the network.

No comments:

Post a Comment