See discretionary access-control list.
Active Directory data model is derived from the X.500 data model. The directory holds objects that represent various elements described by attributes. The types of objects stored in the directory are defined in the schema. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and which object classes can be a parent of the current object class.
See domain controller or domain component.
Delegation is one of the most important security features of Active Directory. Delegation allows a higher administrative authority to grant specific administrative rights for containers and subtrees to individuals and groups. This eliminates the need for domain administrators with broad authority over large segments of users. An access-control entry can grant specific administrative rights on the objects in a container to a user or group. Rights are granted for specific operations on specific object classes using an ACE in the container access-control list.
A directory is a store for object data. For example, a telephone directory stores telephone subscriber data. In a file system, the directory stores file data. In a distributed computing system, like the Internet, there are many objects, such as printers, fax servers, applications, databases, and users.
A server, workstation, or application that accesses a directory service, using the LDAP protocol, to query the directory for object data.
A directory partition, or naming context, is a contiguous Active Directory subtree replicated on one, or more, Windows 2000 domain controllers in a forest. By default, each domain controller has a replica of three partitions: the schema partition, the configuration partition, and a domain partition.
A service that provides access to data and objects in a directory or network environment.
directory system agent
The directory system agent is the process that provides access to the physical storage for Active Directory.
discretionary access-control list
A list controlled by the owner of an object and that specifies the access that particular users or groups can have to the object.
A fully qualified unique name, used to identify an object in a directory, that specifies the complete path to the object through the hierarchy of directory containers.
See distinguished name.
See Domain Name System.
In Active Directory, a collection of computer, user, and group objects defined by the administrator. These objects share a common directory database, security policies, and security relationships with other domains.
A domain component is used to indicate an element of a distinguished name that is part of a domain. For example, "CN=Jeff Smith,CN=Users,DC=Fabrikam,DC=com" contains the Domain Components "Fabrikam" and "com".
A server computer, running on Windows NT, Windows 2000, or Windows Server 2003 that contains a replica of all the objects and object attributes in the domain.
Also called a forest. A logical structure formed by combining two or more Windows 2000 or Windows Server 2003 domain trees.
domain local group
A group that can contain members from any domain, but can be granted permissions only to resources in its own domain.
Domain Name System
A hierarchical naming system for identifying Transmission Control Protocol/Internet Protocol (TCP/IP) hosts on the Internet.
A directory partition that contains the objects, such as users and computers, associated with the local domain.
A hierarchical grouping of Windows 2000 or Windows Server 2003 domains.
See directory system agent.