Authenticating and authorizing objects in AD
When it comes to resource sharing, the first thought is to provide access only to those who require and to the level they require it. This is where security principal objects play a crucial role, in that they can be “authenticated” and “authorized” to use other resource objects. AD authenticates the security principal objects using access tokens.
As already mentioned every security principal object is uniquely identified with a SID across a domain. These SIDs are used in access tokens during authentication.
The security system creates access tokens, this access token contains security information of the users who have logged on and have been authenticated. The access tokens of security principal objects (or a subject) will have the subject’s SID, the SIDs of the groups to which it belongs , the access privileges it has towards the object it is trying to access and other such access information.
While on the other side, every object will have security descriptor which defines who can access that particular object and at what level. The security descriptor will hold information like the SID of the object’s owner, the group SIDs , DACL (Discretionary access control list) and SACL (System access control list).
The DACL and SACL are a list of access control entries.
The permissions granted to a particular user or group over an object by the object’s owner are stored as ACEs in DACL.
In the user’s interface they can be viewed as permissions under the security tab of User properties dialogue box as shown above.
Situations arise when organizations have to keep track of who accessed a particular object, when, from where etc. AD allows you to maintain a log of such events. This can be done by enabling auditing for the particular object under the security tab or by configuring audit policies under GPOs. The ACEs in the SACL will define what events have to be audited. For example you can audit success and failures of logons on a user account.
In the user’s interface it can be viewed under event viewer window as shown in the figure above.
When a subject tries to access a object, the system compares his access token against the object’s security descriptor, if the comparison reveals that he is authorized to access the object then the user is allowed access.
Related Articles
Active Directory Objects
Real-world entities such as users, computers are represented as objects in Active Directory. Objects are the fulcrum for the very existence of Active Directory. One important aspect with respect to object characteristics is that some of the objects ...Active Directory Objects List
Objects are the fulcrum of Active Directory. The ease of an organization’s resource management comes from the fact that objects give AD a modular structure. Introduction The individual components of an organization’s network are called objects in ...Active Directory User objects
A user object in AD is used to represent a real user in an organizational network environment. Say for example Joshua is a new employee in my organization, and I need to allow him accesses to various resources of the organization. All I have to do to ...Locating Objects in Active Directory
Objects in AD can be traced using two methods. 1. The DSquery command line tool 2. The Find dialogue box in ADUC console DSquery is a directory service search command-line tool. It can be used with appropriate parameters to search objects in Active ...Active Directory Computer Objects Management
A computer object in AD is used to model a real computer in an organizational network environment. Say for example, I bought a new computer machine -01 in my organization, and want to allow people to access various organizational resources through ...