Site icon Windows Active Directory

Authenticating and authorizing objects in AD

When it comes to resource sharing, the first thought is to provide access only to those who require it and to the level they require it. This is where security principal objects play a crucial role, in that they can be “authenticated” and “authorized” to use other resource objects. AD authenticates the security principal objects using access tokens.

As already mentioned every security principal object is uniquely identified with a SID across a domain. These SIDs are used in access tokens during authentication.

The security system creates access tokens, this access token contains security information of the users who have logged on and have been authenticated. The access tokens of security principal objects (or a subject) will have the subject’s SID, the SIDs of the groups to which it belongs, the access privileges it has towards the object it is trying to access and other such access information.

While on the other side, every object will have a security descriptor that defines who can access that particular object and at what level. The security descriptor will hold information like the SID of the object’s owner, the group SIDs , DACL (Discretionary access control list) and SACL (System access control list).

The DACL and SACL are a list of access control entries.

The permissions granted to a particular user or group over an object by the object’s owner are stored as ACEs in DACL.

In the user’s interface, they can be viewed as permissions under the security tab of User properties dialogue box as shown above.

Situations arise when organizations have to keep track of who accessed a particular object, when, from where, etc. AD allows you to maintain a log of such events. This can be done by enabling auditing for the particular object under the security tab or by configuring audit policies under GPOs. The ACEs in the SACL will define what events have to be audited. For example, you can audit the success and failures of logons on a user account.

In the user’s interface, it can be viewed under the event viewer window as shown in the figure above.

When a subject tries to access an object, the system compares his access token against the object’s security descriptor, if the comparison reveals that he is authorized to access the object then the user is allowed access.


People also read

Ownership of objects in Active Directory

AD object classification

Creating objects in Active Directory

Exit mobile version