For the next set of posts I will focus on managing data in Active Directory. Today’s post will introduce basic Active Directory concepts that will form the foundation for future posts.
What is Active Directory?
Active Directory (AD) is an object-oriented database used to store security information. Most companies rely on AD to store information about each user employed in their company. AD allows the company’s administrators to assign users to security groups that control what information the user can access. That information can be a folder, file, SQL database, Web Page, SharePoint Site or other system that integrates with AD. Even computers can be managed thru AD with security protocols called Group Policy Objects.
In the Microsoft Windows arena all security is managed via Security Identifiers (SIDs). Every single file, folder, SQL database, web site, etc. has a SID assigned to it. Every single user, computer, group or other AD object can have a SID assigned to it. These SIDs provide the information required to identify who has the rights to a given resource. SIDs are organized into Access Control Lists (ACLs).
For example, we have ten users who all need access to the same folder. We can assign each individual user directly to the folder or we can assign the users to an AD group and then assign the group to the folder. Either way the user is able to access the folder because the folder contains the user’s SID in the first case or the user’s group SID in the second case that grants the user’s account access to the data.
There are many ways that Active Directory can be used in a corporate environment and a lot to understand about SIDs and ACLs. Our objective isn’t to understand all these details at this time. But simply to focus on AD general concepts.
AD Organization
As I said earlier, AD is an object-oriented database system. AD tracks user information in user objects, computer information in computer objects and group information in group objects. There are many other objects tracked in AD but we will focus on these for now.
In order to manage these objects they are grouped into objects called Common Names (cn), Organizational Units (ou) and Domain Components (dc). A Common Name represents the user, computer or group object. The Domain Components represent the primary storage area and can be thought of as a data store. The Organizational Unit is similar to a folder.
So storage of a specific object occurs in the following hierarchy:
Domain Component 1 \ Domain Component 2 \ Domain Component n\ Organizational Unit 1\ Organizational Unit 2 \ Organizational Unit n \ Common Name
This storage hierarchy is called a path in Active Directory.
The Active Directory Path
An AD path lists the hierarchy in reverse order. The path identifies the type of data store to communicate, which data store to connect, and the path to the object of interest.
The path is divided up in the following format:
provider://hostName:portNumber/distinguishedName
The provider and distinguished name are required. The host name and port number are optional.
The provider can be one of the following values:
- LDAP: Specifies Active Directory protocol.
- GC: Specifies Global Catalog protocol.
- WinNT: Specifies legacy Windows NT 4 domain controllers and local SAM controllers.
- NDS: Novell Directory Services.
- NWCOMPAT: Legacy Novell Directory Services.
- IIS: Internet Information Services.
- Ads: Tells the system to list the installed directory providers.
For our examples we will be using the LDAP provider.
The host name refers to the data store with which we want to communicate. In AD the data store is called a domain. When you have multiple domains it is called a forest.
In order for a computer to see another computer it must be in the same domain. When a computer is in a different domain the only way it can see or be seen by a computer in another domain is if there is a trust relationship defined between the domains.
Since every computer must exist in a domain to utilize Active Directory’s security protocol that gives it access to other computers the host name and port number are optional. If the host name or port number is not provided we simply default to the domain hosting the computer that is running our code.
Active Directory Distinguished Names
An AD distinguished name stores the organizational unit path and common name object. The distinguished name consists of one or more relative distinguished names (RDNs). Each RDN has an attribute name and a value.
RDN Syntax:
attribute=value
Where attribute is one of but not limited to the following values:
- DC = Domain Component
- CN = Common Name
- OU = Organizational Unit
There are other values but we want to focus on these three for today’s article as they represent the most common attributes that we will utilize.
DN Syntax:
rdn n,...,rdn 2,rdn 1
As mentioned earlier AD stores the path in reverse order. The distinguished name consists of one or more RDNs stored in reverse order.
AD Path Sample
In our imaginary world we work for company Acne, USA. In the system administrators infinite wisdom he create a domain called, Acne.USA. To connect to the root path for the AD environment we would write our LDAP path as follows:
LDAP://Acne.USA/DC=Acne,DC=USA
Now if we wanted to access user accounts for the Health and Safety Office in the domain we might need a path in the following format:
LDAP://Acne.USA/ou=Health & Safety,ou=Departments,DC=Acne,DC=USA
And, finally to access Joe’s user account in the Health and Safety office:
LDAP://Acne.USA/cn=JoeSchmoe,ou=Health & Safety,ou=Departments,DC=Acne,DC=USA
Summary
Today we reviewed what Active Directory is, how it is used and how information is organized. In the next post we will create a simple helper class to assist us with creating path strings that adhere to Active Directory character escaping rules and that will make it easier for us to parse the path for finer control.
Larry Steinle 
Leave a Reply