1.1 Glossary

This document uses the following terms:

access control entry (ACE): An entry in an access control list (ACL) that contains a set of user rights and a security identifier (SID) that identifies a principal for whom the rights are allowed, denied, or audited.

Active Directory: The Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos [MS-KILE]. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which are both described in [MS-ADOD]: Active Directory Protocols Overview.

Active Directory object: A set of directory objects that are used within Active Directory as defined in [MS-ADTS] section 3.1.1. An Active Directory object can be identified by a dsname. See also directory object.

Administrative tool: An implementation-specific tool, such as the Group Policy Management Console, that allows administrators to read and write policy settings from and to a Group Policy Object (GPO) and policy files. The Group Policy Administrative tool uses the Extension list of a GPO to determine which Administrative tool extensions are required to read settings from and write settings to the logical and physical components of a GPO.

client: A domain member that is involved in a policy application mode sequence.

client-side extension GUID (CSE GUID): A GUID  that enables a specific client-side extension on the Group Policy client to be associated with policy data that is stored in the logical and physical components of a Group Policy Object (GPO) on the Group Policy server, for that particular extension.

computer account: See machine account.

computer policy mode: A mode of policy application intended to retrieve settings for the computer account of the client.

computer-scoped Group Policy Object distinguished name: A scoped Group Policy Object (GPO) distinguished name (DN) that begins with "CN=Machine".

computer-scoped Group Policy Object path: A scoped Group Policy Object (GPO) path that ends in "\Machine".

curly braced GUID string: The string representation of a 128-bit globally unique identifier (GUID) using the form {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, where X denotes a hexadecimal digit. The string representation between the enclosing braces is the standard representation of a GUID as described in [RFC4122] section 3. Unlike a GUIDString, a curly braced GUID string includes enclosing braces.

directory string: A string encoded in UTF-8 as defined in [RFC2252] section 6.10.

discretionary access control list (DACL): An access control list (ACL) that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.

distinguished name (DN): A name that uniquely identifies an object by using the relative distinguished name (RDN) for the object, and the names of container objects and domains that contain the object. The distinguished name (DN) identifies the object and its location in a tree.

domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].

domain account: A stored set of attributes representing a principal used to authenticate a user or machine to an Active Directory domain.

domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DS DC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section 1.1.1.5.2 and [MS-ADTS]. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDS DCs can run on one server. When Active Directory is operating as AD DS, only one AD DS DC can run on one server. However, several AD LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC contains full NC replicas of the config NC and the schema NC in its forest. The domain controller is the server side of Authentication Protocol Domain Support [MS-APDS].

domain member (member machine): A machine that is joined to a domain by sharing a secret between the machine and the domain.

Domain Name System (DNS): A hierarchical, distributed database that contains mappings of domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.

domain naming context (domain NC): A partition of the directory that contains information about the domain and is replicated with other domain controllers (DCs) in the same domain.

domain user: A user with an account in the domain's user account database.

enforced Group Policy Object (GPO): A Group Policy Object (GPO) that is specifically associated with a scope of management (SOM) so that the associated GPO has a higher GPO precedence compared to non-enforced GPOs that are associated with the same SOM and compared to all GPOs that are associated with descendant SOMs. An enforced GPO cannot be blocked by a descendant SOM using the gpOptions attribute.

forest: One or more domains that share a common schema and trust each other transitively. An organization can have multiple forests. A forest establishes the security and administrative boundary for all the objects that reside within the domains that belong to the forest. In contrast, a domain establishes the administrative boundary for managing objects, such as users, groups, and computers. In addition, each domain has individual security policies and trust relationships with other domains.

fully qualified domain name (FQDN): An unambiguous domain name that gives an absolute location in the Domain Name System's (DNS) hierarchy tree, as defined in [RFC1035] section 3.1 and [RFC2181] section 11.

globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).

Group Policy: A mechanism that allows the implementer to specify managed configurations for users and computers in an Active Directory service environment.

Group Policy client: A client computer that receives and applies settings of a GPO. The Group Policy client can use client-side extensions to extend the functionality of the Group Policy protocols.

Group Policy extension: A protocol that extends the functionality of Group Policy. Group Policy extensions consist of client-side extensions and Administrative tool extensions. They provide settings and other Group Policy information that can be read from and written to Group Policy data store components. Group Policy Extensions depend on the Group Policy: Core Protocol, via the core Group Policy engine, to identify GPOs containing a list of extensions that apply to a particular Group Policy client.

Group Policy Object (GPO): A collection of administrator-defined specifications of the policy settings that can be applied to groups of computers in a domain. Each GPO includes two elements: an object that resides in the Active Directory for the domain, and a corresponding file system subdirectory that resides on the sysvol DFS share of the Group Policy server for the domain.

Group Policy Object (GPO) container version: A GPO version stored in the Active Directory portion of the GPO.

Group Policy Object (GPO) distinguished name (DN): An LDAP distinguished name (DN) for an Active Directory object of object class groupPolicyContainer. All such object paths will be paths of the form "LDAP://<gpo guid>,CN=policies,CN=system,<rootdse>", where <rootdse> is the root DN path of the Active Directory domain and <gpo guid> is a GPO GUID.

Group Policy Object (GPO) distinguished name (DN) list: An ordered set of scoped GPO DNs, one for each GPO for which a Group Policy extension is to request and retrieve settings. Each element in the list corresponds to one of the elements in the corresponding GPO path list. An element in the GPO DN list corresponds to an element in the GPO path list if both elements have the same ordinal number in their respective lists.

Group Policy Object (GPO) file system version: A Group Policy Object (GPO) version stored in the file system portion of the GPO.

Group Policy Object (GPO) GUID: A curly braced GUID string that uniquely identifies a Group Policy Object (GPO).

Group Policy Object (GPO) path: A domain-based Distributed File System (DFS) path for a directory on the server that is accessible through the DFS/SMB protocols. This path will always be a Universal Naming Convention (UNC) path of the form: "\\<dns domain name>\sysvol\<dns domain name>\policies\<gpo guid>", where <dns domain name> is the DNS domain name of the domain and <gpo guid> is a Group Policy Object (GPO) GUID.

Group Policy Object (GPO) precedence: An ordering between the GPOs that are associated with a policy target. A policy setting defined in a GPO that has a lower precedence can be overridden by a policy setting defined in a GPO that has a higher precedence.

Group Policy server: A server holding a database of Group Policy Objects (GPOs) that can be retrieved by other machines. The Group Policy server must be a domain controller (DC).

Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377].

link order: An integer that describes the precedence of a GPO that is associated with a scope of management (SOM) when compared to other GPOs that are associated with that SOM. A GPO that has a smaller link order associated with an SOM has higher GPO precedence than a GPO that has a higher link order associated with the same SOM.

machine Group Policy Object (GPO) version: A version number of the changes for the computer policy portion of a Group Policy Object (GPO). This is a 16-bit integer encoded in the lower 16 bits of a GPO version.

policy application: The protocol exchange by which a client obtains all of the Group Policy Object (GPO) and thus all applicable Group Policy settings for a particular policy target from the server, as specified in [MS-GPOL]. Policy application can operate in two modes, user policy and computer policy.

policy setting: A statement of the possible behaviors of an element of a domain member computer's behavior that can be configured by an administrator.

policy source: The LDAP distinguished name of an Active Directory account object that is used to compute a GPO list.

policy target: A user or computer account for which policy settings can be obtained from a server in the same domain, as specified in [MS-GPOL]. For user policy mode, the policy target is a user account. For computer policy mode, the policy target is a computer account.

remote procedure call (RPC): A communication protocol used primarily between client and server. The term has three definitions that are often used interchangeably: a runtime environment providing for communication facilities between computers (the RPC runtime); a set of request-and-response message exchanges between computers (the RPC exchange); and the single message from an RPC exchange (the RPC message).  For more information, see [C706].

root directory system agent-specific entry (rootDSE): The logical root of a directory server, whose distinguished name (DN) is the empty string. In the Lightweight Directory Access Protocol (LDAP), the rootDSE is a nameless entry (a DN with an empty string) containing the configuration status of the server. Access to this entry is typically available to unauthenticated clients. The rootDSE contains attributes that represent the features, capabilities, and extensions provided by the particular server.

scope of management (SOM): An Active Directory site, domain, or organizational unit container. These containers contain user and computer accounts that can be managed through Group Policy. These SOMs are themselves associated with Group Policy Objects (GPOs), and the accounts within them are considered by the Group Policy Protocol [MS-GPOL] to inherit that association.

scoped Group Policy Object (GPO) distinguished name (DN): A Group Policy Object (GPO) distinguished name (DN) where the set of "CN=<cn>" elements is prepended with "CN=User" for the user policy mode of policy application and with "CN=Machine" for computer policy mode.

scoped Group Policy Object (GPO) path: A Group Policy Object (GPO) path appended with "\User" for the user policy mode of policy application, and "\Machine" for the computer policy mode.

site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects) an administrator can optimize both Active Directory access and Active Directory replication with respect to the physical network. When users log in, Active Directory clients find domain controllers (DCs) that are in the same site as the user, or near the same site if there is no DC in the site. See also Knowledge Consistency Checker (KCC). For more information, see [MS-ADTS].

site distinguished name (DN): The distinguished name (DN) for an object in Active Directory that represents a site.

system volume (SYSVOL): A shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain.

tool extension GUID or administrative plug-in GUID: A GUID defined separately for each of the user policy settings and computer policy settings that associates a specific administrative tool plug-in with a set of policy settings that can be stored in a Group Policy Object (GPO).

trusted third party: A trusted third party issues signed statements to stated parties enabling those stated parties to act on another identity's behalf for a certain amount of time. The trusted third party is trusted to perform a set of specialized functions, such as a security token service that provides authentication and single sign-on services to web services (see [MSDN-SUBSYSDSGN] for more information). As a trusted authentication service on the network, this service knows all passwords and can grant access to any server. This characteristic is convenient but also a single point of failure, and so requires a high level of physical security. For the Kerberos authentication protocol, the trusted third party arbitrator is a server known as a Key Distribution Center (KDC) that runs the Kerberos daemons.

Unicode: A character encoding standard developed by the Unicode Consortium that represents almost all of the written languages of the world. The Unicode standard [UNICODE5.0.0/2007] provides three forms (UTF-8, UTF-16, and UTF-32) and seven schemes (UTF-8, UTF-16, UTF-16 BE, UTF-16 LE, UTF-32, UTF-32 LE, and UTF-32 BE).

Unicode string: A Unicode 8-bit string is an ordered sequence of 8-bit units, a Unicode 16-bit string is an ordered sequence of 16-bit code units, and a Unicode 32-bit string is an ordered sequence of 32-bit code units. In some cases, it could be acceptable not to terminate with a terminating null character. Unless otherwise specified, all Unicode strings follow the UTF-16LE encoding scheme with no Byte Order Mark (BOM).

universally unique identifier (UUID): A 128-bit value. UUIDs can be used for multiple purposes, from tagging objects with an extremely short lifetime, to reliably identifying very persistent objects in cross-process communication such as client and server interfaces, manager entry-point vectors, and RPC objects. UUIDs are highly likely to be unique. UUIDs are also known as globally unique identifiers (GUIDs) and these terms are used interchangeably in the Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the UUID. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the UUID.

user GPO version: A version number of the changes for the user policy portion of a Group Policy Object (GPO). This is a 16-bit integer encoded in the upper 16 bits of a GPO version.

user policy mode: A mode of policy application that is used to retrieve settings for an authenticated domain user account, interactively logged on to a client.

user principal name (UPN): A user account name (sometimes referred to as the user logon name) and a domain name that identifies the domain in which the user account is located. This is the standard usage for logging on to a Windows domain. The format is: someone@example.com (in the form of an email address). In Active Directory, the userPrincipalName attribute of the account object, as described in [MS-ADTS].

user-scoped Group Policy Object distinguished name: A scoped Group Policy Object (GPO) distinguished name (DN) that begins with "CN=User".

user-scoped Group Policy Object path: A scoped Group Policy Object (GPO) path that ends in "\User".

Windows Management Instrumentation (WMI): The Microsoft implementation of Common Information Model (CIM), as specified in [DMTF-DSP0004]. WMI allows an administrator to manage local and remote machines and models computer and network objects using an extension of the CIM standard.

WMI Query Language (WQL): A subset of American National Standards Institute Structured Query Language (ANSI SQL). It differs from the standard SQL in that it retrieves from classes rather than tables and returns CIM classes or instances rather than rows.  WQL is specified in [MS-WMI] section 2.2.1.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.