UWWI Frequently Asked Questions - Glossary
This document includes common Windows terms and provides a basis for understanding
what they mean. We welcome suggestions as to additional Windows terms that should
be added to this document.
You can find the general UW Technology
glossary here.
What’s
a domain?
This is a Windows term referring to an organizational structure. A domain has
two meanings; a domain is a directory container object, and can also be used to
refer to the general Windows environment or structure that this directory
container provides.
A Windows domain is a group of computers which share a common account
database. These computers each have an associated account object which is
contained by the domain container. Because computers belonging to the domain
share a common account database, file sharing across these computers is simple.
Basic rights to computers in a domain can be controlled via a group policy
object associated with the domain directory object.
Starting with Windows 2000, Windows domains must have a corresponding DNS domain
associated with it. A Windows domain requires at least one domain controller
where the common account database is held. Domain controllers for the domain
must have the associated DNS domain as their primary DNS suffix. All other
machines in a Windows domain can have any primary DNS suffix.
Go to top
of page
What’s an
OU?
This is a Windows term referring to an organizational structure. The term can
be used to refer to the structure itself or the general environment under that
structure.
A Windows OU is an organization unit (a directory container) for grouping
similar accounts or machines. OUs are used to provide a means of delegating
authority over a group of accounts or machines to a person (the local
administrator). OUs do not require a domain controller or any other physical
representation. They are simply a container in the domain database. OUs can
contain other OUs to a level of 63 deep. OUs can be used to duplicate actual
organizational structure. However, this isn’t always recommended.
Go to top
of page
What’s a
tree?
This is a Windows term referring to an organizational structure. The term can
be used to refer to the structure itself or the general environment under that
structure.
A Windows tree is a group of 1 or more trusted Windows domains with
contiguous DNS domains. “Trusted” means that an authenticated account from one
domain isn’t rejected by another domain. “Contiguous DNS domains” means that
they all have the same root DNS name. For example, the domains it.dept.washington.edu and dept.washington.edu
are contiguous, whereas fred.com and win.washington.edu are not contiguous. A tree shares common global catalog
servers, and a common schema. The schema determines what types of objects,
classes, and attributes may be created in each of the domain databases in the
tree. Trees have no physical representation like a domain controller, but
require at least one domain to exist. Trees are used to group Windows domains
which need to share files, policy, and resources.
Go to top
of page
What’s a forest?
This is a Windows term referring to an organizational structure. The term can
be used to refer to the structure itself or the general environment under that
structure.
A Windows forest is a group of 1 or more trusted Windows trees. The trees do
not need to have contiguous DNS names. A forest shares a schema and global
catalog servers. A single tree can also be called a forest. A forest may be comprised of one or more
trees. A forest may be comprised of one or more domains.
Go to top
of page
What’s a
site?
This is a Windows term referring to an organizational structure. Sites are
manually defined groupings of subnets. One typically groups subnets which have
high bandwidth connectivity in the same site. Objects in a site share the same
global catalog servers, and can have a common set of group policies applied to
them. Universities typically have a single site, but might have multiple sites
if they have more than one campus.
Another common reason to use sites is to segment exchange servers to a dedicated
global catalog server because of the dependency exchange has on global catalog servers.
Go to top
of page
What is Active Directory?
Active Directory is a Windows term for the overall directory database in
a Windows domain. The AD, or Active Directory, contains the user accounts,
computer accounts, OUs, security groups, group policy objects, and any other LDAP-based directory object.
The AD is
markedly different from the NT4 domain database (called the SAM) because it is
based on the LDAP standard. This means that everything in AD is an object with a
unique path together with associated attributes. This allows a greater
opportunity for interoperability with applications and other directory products.
The tree or forest-wide schema determines what types of objects and attributes
may be created in AD. Another implication of LDAP support is that
information in the directory is searchable. Universities are under legal
obligations to ensure the privacy of student personal information as requested,
so you will find that your ability to
search for information may be limited by access restrictions due to privacy settings
that people have requested.
Go to top
of page
What is a schema?
The schema defines what attributes, objects, classes, and rules are available
in the Active Directory. The schema is shared by AD forest-wide and is
replicated between all domains, so a schema modification in one domain affects
the schema in all other domains. Only special administrators known as Schema
Administrators have the right to make modifications. Modifications to the schema
are generally rare, and are made to extend support for enterprise application services
which benefit from storing user or computer configuration data centrally.
Microsoft Exchange 2000 is an example of an application which requires
a schema modification.
Go to top
of page
What’s a global catalog server?
The global catalog server’s function is to process directory searches for the
entire forest. Therefore, the GC has a subset of the searchable attributes for
all objects in the AD, regardless of the object’s parent domain. Among the
things in the GC are entries for all the accounts and machines, with a subset of
the attributes for each object. A global catalog server must be a domain
controller. In UWWI, all the
domain controllers are global catalog servers.
Go to top
of page
What is the top-level domain or the forest root domain?
The top-level domain or forest root domain is the first domain installed in a
forest. In UWWI, this is the netid.washington.edu domain. There are no other domains in
UWWI.
Go to top
of page
What is group policy or a GPO?
Group policy is a Windows term for common configuration settings. An
administrator can create a group policy which applies to users or computers.
This group policy can set certain computer settings such as who can login to the
computer or user settings such whether the user can run control panel applets.
Group policy is similar to what was called policy in NT4, but there is a vastly
improved performance together with a greater number of common configuration
settings. A GPO, or group policy object, is a set of settings applied to a site,
domain or OU container. The GPO then is applied to every machine or user object
under that container. One can configure a GPO with ACLs to restrict the
computers or users to which it is applied.
Go to top
of page
What is the group policy loopback feature?
Group Policy is applied to a user or computer, based upon where the user or
computer object is located in the Active Directory. The computer’s GPOs are
applied at computer startup. The user’s GPOs are applied at login. However, in
some cases, users may need policy applied to them, based upon the location of
the computer object, not the location of the user object. The Group Policy
loopback feature gives the administrator the ability to apply Group Policy,
based upon the computer that the user is logging onto. The computer’s GPOs are
still retrieved at computer startup, but the user portion of these GPOs isn’t
applied until a user logins in. More detail can be found at http://www.netid.washington.edu/documentation/gpoorder.aspx.
Go to top
of page
What is an ACL or access-control list?
A list of security protections that applies to an object. An object can be a
file, process, event, directory entry or anything else having a security descriptor. An entry
in an access-control list (ACL) is an access-control entry (ACE). There are two
types of access-control lists, discretionary and system. The discretionary
access-control list (DACL) is typically what is meant when the term ACL is used.
The DACL is an access-control list that is controlled by the owner of an object (or anyone with
the 'change permissions' permission for that object)
and that specifies the access particular users or groups can have to the object.
The system access-control list (SACL) controls the generation of audit messages
for attempts to access a securable object. The ability to get or set an object's
SACL is controlled by a privilege typically held only by system administrators.
Go to top
of page
What is an ACE or access-control entry?
An entry in an access-control list (ACL). An ACE contains a set of access
rights and a security identifier (SID) that identifies a trustee for whom the
rights are allowed, denied, or audited.
Go to top
of page
What is a SID?
A structure of variable length that uniquely identifies a directory object in
all Windows NT or 2000 implementations. Directory objects can be users, groups,
computers, or group policy objects. The directory objects can be domain based
(either in the NT domain accounts database or in Windows 2000 Active Directory)
or local to the computer (in the local account database). There is a set of
common SIDs called well-known
SIDs which are not unique, but identical across all Windows computers.
Go to top
of page