AD Terminology

Last updated: January 30, 2023
Audience: IT Staff / Technical

This document includes common Microsoft terms associated with Active Directory (AD-DS) and provides a basis for understanding what they mean. We welcome suggestions as to additional terms that should be added to this document.

What’s a domain?

This is a Windows term referring to an organizational structure. A domain has two meanings; a domain is a directory container object, and can also be used to refer to the general Windows environment or structure that this directory container provides.

A Windows domain is a group of computers which share a common account database. These computers each have an associated account object which is contained by the domain container. Because computers belonging to the domain share a common account database, file sharing across these computers is simple. Basic rights to computers in a domain can be controlled via a group policy object associated with the domain directory object.

Starting with Windows 2000, Windows domains must have a corresponding DNS domain associated with it. A Windows domain requires at least one domain controller where the common account database is held. Domain controllers for the domain must have the associated DNS domain as their primary DNS suffix. All other machines in a Windows domain can have any primary DNS suffix.

Go to top of page

What’s an OU?

This is a Windows term referring to an organizational structure. The term can be used to refer to the structure itself or the general environment under that structure.

A Windows OU is an organization unit (a directory container) for grouping similar accounts or machines. OUs are used to provide a means of delegating authority over a group of accounts or machines to a person (the local administrator). OUs do not require a domain controller or any other physical representation. They are simply a container in the domain database. OUs can contain other OUs to a level of 63 deep. OUs can be used to duplicate actual organizational structure. However, this isn’t always recommended.

Go to top of page

What’s a tree?

This is a Windows term referring to an organizational structure. The term can be used to refer to the structure itself or the general environment under that structure.

A Windows tree is a group of 1 or more trusted Windows domains with contiguous DNS domains. “Trusted” means that an authenticated account from one domain isn’t rejected by another domain. “Contiguous DNS domains” means that they all have the same root DNS name. For example, the domains it.dept.washington.edu and dept.washington.edu are contiguous, whereas fred.com and win.washington.edu are not contiguous. A tree shares common global catalog servers, and a common schema. The schema determines what types of objects, classes, and attributes may be created in each of the domain databases in the tree. Trees have no physical representation like a domain controller, but require at least one domain to exist. Trees are used to group Windows domains which need to share files, policy, and resources.

Go to top of page

What’s a forest?

This is a Windows term referring to an organizational structure. The term can be used to refer to the structure itself or the general environment under that structure.

A Windows forest is a group of 1 or more trusted Windows trees. The trees do not need to have contiguous DNS names. A forest shares a schema and global catalog servers. A single tree can also be called a forest. A forest may be comprised of one or more trees. A forest may be comprised of one or more domains.

Go to top of page

What’s a site?

This is a Windows term referring to an organizational structure. Sites are manually defined groupings of subnets. One typically groups subnets which have high bandwidth connectivity in the same site. Objects in a site share the same global catalog servers, and can have a common set of group policies applied to them. Universities typically have a single site, but might have multiple sites if they have more than one campus. Another common reason to use sites is to segment exchange servers to a dedicated global catalog server because of the dependency exchange has on global catalog servers.

Go to top of page

What is Active Directory?

Active Directory is a Windows term for the overall directory database in a Windows domain. The AD, or Active Directory, contains the user accounts, computer accounts, OUs, security groups, group policy objects, and any other LDAP-based directory object. The AD is markedly different from the NT4 domain database (called the SAM) because it is based on the LDAP standard. This means that everything in AD is an object with a unique path together with associated attributes. This allows a greater opportunity for interoperability with applications and other directory products. The tree or forest-wide schema determines what types of objects and attributes may be created in AD. Another implication of LDAP support is that information in the directory is searchable. Universities are under legal obligations to ensure the privacy of student personal information as requested, so you will find that your ability to search for information may be limited by access restrictions due to privacy settings that people have requested.

Go to top of page

What is a schema?

The schema defines what attributes, objects, classes, and rules are available in the Active Directory. The schema is shared by AD forest-wide and is replicated between all domains, so a schema modification in one domain affects the schema in all other domains. Only special administrators known as Schema Administrators have the right to make modifications. Modifications to the schema are generally rare, and are made to extend support for enterprise application services which benefit from storing user or computer configuration data centrally. Microsoft Exchange 2000 is an example of an application which requires a schema modification.

Go to top of page

What’s a global catalog server?

The global catalog server’s function is to process directory searches for the entire forest. Therefore, the GC has a subset of the searchable attributes for all objects in the AD, regardless of the object’s parent domain. Among the things in the GC are entries for all the accounts and machines, with a subset of the attributes for each object. A global catalog server must be a domain controller. In UWWI, all the domain controllers are global catalog servers.

Go to top of page

What is the top-level domain or the forest root domain?

The top-level domain or forest root domain is the first domain installed in a forest. In UWWI, this is the netid.washington.edu domain. There are no other domains in UWWI.

Go to top of page

What is group policy or a GPO?

Group policy is a Windows term for common configuration settings. An administrator can create a group policy which applies to users or computers. This group policy can set certain computer settings such as who can login to the computer or user settings such whether the user can run control panel applets. Group policy is similar to what was called policy in NT4, but there is a vastly improved performance together with a greater number of common configuration settings. A GPO, or group policy object, is a set of settings applied to a site, domain or OU container. The GPO then is applied to every machine or user object under that container. One can configure a GPO with ACLs to restrict the computers or users to which it is applied.

Go to top of page

What is the group policy loopback feature?

Group Policy is applied to a user or computer, based upon where the user or computer object is located in the Active Directory. The computer’s GPOs are applied at computer startup. The user’s GPOs are applied at login. However, in some cases, users may need policy applied to them, based upon the location of the computer object, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply Group Policy, based upon the computer that the user is logging onto. The computer’s GPOs are still retrieved at computer startup, but the user portion of these GPOs isn’t applied until a user logins in. More detail can be found at /tools-services-support/it-systems-infrastructure/msinf/other-help/windows-domain-setup/group-policy-object-processing-order/.

Go to top of page

What is an ACL or access-control list?

A list of security protections that applies to an object. An object can be a file, process, event, directory entry or anything else having a security descriptor. An entry in an access-control list (ACL) is an access-control entry (ACE). There are two types of access-control lists, discretionary and system. The discretionary access-control list (DACL) is typically what is meant when the term ACL is used. The DACL is an access-control list that is controlled by the owner of an object (or anyone with the ‘change permissions’ permission for that object) and that specifies the access particular users or groups can have to the object. The system access-control list (SACL) controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object’s SACL is controlled by a privilege typically held only by system administrators.

Go to top of page

What is an ACE or access-control entry?

An entry in an access-control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.

Go to top of page

What is a SID?

A SID (Security IDentitifyer) is a structure that uniquely identifies a directory object in all Windows NT or 2000 implementations. Directory objects can be users, groups, computers, or group policy objects. The directory objects can be domain based (either in the NT domain accounts database or in Windows 2000 Active Directory) or local to the computer (in the local account database). There is a set of common SIDs called well-known SIDs which are not unique, but identical across all Windows computers.

Go to top of page