How do you design an ad server

Active Directory and Domain - simply explained

An IT administrator often speaks of in connection with permissions and resource allocation Active Directory or one domain. With today's article we would like to shed some light on the subject and explain which functionalities Active Directory or a domain have and how they can support security and the allocation of rights.

Explained using a simple example

To simplify the explanation, let's start with an example.

100 employees work in a company. All employees must be able to log on to all 100 company computers, but are only allowed to use the resources (printers, folders, databases) to which they have access according to the written authorization concept.

In order not to have to set up 100 user accounts on all 100 computers (a total of 10,000 accounts) and to create different rights individually and manually, all information centrally in a directory service (Active Directory). This not only makes the administrator's work easier when creating user accounts, but also when managing them, since, for example, when an employee changes their password, this only has to be entered centrally in the Active Directory and does not have to be changed on all 100 computers.

The administrator must also assign different authorizations, as not everyone is allowed to access the personal printer or the customer database, for example. So that the admin does not have to set this individually and manually for each of the 100 employees, he sets up different groups (domains) that contain different authorizations and assigns the individual employees to the corresponding domain. For example, he sets up the personnel group (domain) with certain rights and assigns all employees from the personnel department to this group. These can now automatically access the employee database or the personal printer, for example, but not all other employees.

In most cases, however, it is advisable to create just one domain with different organizational units that contain different guidelines.

What is an Active Directory?

Active Directory is a central directory service from Microsoft. Active Directory is like a phone book in the company intranet, as it saves detailed information (for the user, e.g. name, e-mail address) in a central database. With the help of the Active Directory, a central administration and control of a network is possible.

Active Directory offers another advantage for the administrator because it allows all objects centrally (This means users but also computers, printers, file folders, etc.), which simplifies the administration of all objects in a network.

Active Directory offers an advantage for employees because they can access all resources (printers, folders, software, databases) assigned to them from different computers within the company network with a single central login (Windows login).

Active Directory therefore supports the structuring of the network and technically reproduces the organization with all rights and authorizations.

What is a domain?

A domain on the other hand represents one independentsecurity area that can be managed centrally.

The Active Directory includes at least one domain. Each domain has its own security area with guidelines and relationships that then determine which employee can log in with which password and which objects they can access. In each domain, only information about the objects contained in the respective domain (users, folders, hardware components such as printers, etc.) is saved.

The information is not stored locally on the respective computers but centrally on a server (so-called domain controller).

The individual domain can be further structured with the help of organizational units, which then also contain different guidelines. This is more common in practice, as creating and managing multiple domains means more administrative effort.

Security with Active Directory or domains

On the one hand, Active Directory or domains can support security by coordinating permissions and rights. On the other hand, however, it must also be noted that these functionalities themselves are also exposed to a number of technical and non-technical threats.

For this purpose, the Federal Office for Information Security (BSI) has listed the individual threats and enumerated measures to ensure safe use.

Do you like the post? Then we look forward to a recommendation:

About the author

Agnieszka CzernikLawyer

Data protection and IT (security) serve to protect privacy and corporate values. Maintaining these interests and working in two diverse and interesting areas at the same time is my passion. more →

intersoft consulting services AG

As experts in data protection, IT security and IT forensics, we advise companies across Germany. Find out more about our range of services here:

IT security advice

Do you have any suggestions for topics or improvements? Contact us anonymously here.