Access-control configuration poses several challenges for IT administrators. You must manage and delegate access for thousands of user accounts, integrate and aggregate various account repositories, set enterprise policies that may vary by department, and configure single sign-on, authentication, authorization and auditing. Identity-management apps can help, but they can be expensive and complex. There's an easier way.
Authentication is the process for identifying the user. It involves comparing user credentials entered at logon with the ones stored in a central repository. On Windows Servers, this is performed through Windows Authentication System and Active Directory. When the user is authenticated, the credentials, such as user name and password, are validated by checking policy rules. For example, the admin can set the user account or the password to expire, at which time Windows prompts the user to change them. Windows also can define minimum requirements for password length and complexity.
Once the user has logged on, authorization is the process that grants the user appropriate rights to various resources, including remote servers and files. Every resource (data object) is configured to grant access to users through access-control lists. The ACL contains a list of access control entries. Each ACE defines a permissible action that the user can perform on the object, such as "full control," "write only" and "delete." Since every user account has a unique security identifier (SID), the authorization server (domain controller) grants access to the resource by checking the SID against the ones stored in that particular resource's ACE. If the user SID matches the ACE SID, the user is authorized to access the resource with the permissions granted during authentication. Access controls can be set on every object and given to every user or group in the domain.
Active Directory provides secure storage for user credentials and the cryptographic keys that validate those credentials during the authentication process. AD complies with the Lightweight Directory Access Protocol and can interoperate and aggregate data with other LDAP directory services. AD supports a tree data structure of objects, called entries, that help manage company resources, such as computers and users, by mapping them to geographical and organizational attributes. The root of the tree structure is the company domain. Subdirectories consist of OUs (organizational units). OUs are directory containers for grouping accounts and machines.
Windows policies are configuration files that contain settings for accounts, passwords, user rights, auditing and other attributes. They can include information about the local machine (local policy) and/or the domain (domain policy). Group policies define security settings for computers and users and can be applied to directory containers according to site, domain or organizational unit. The computer section of the group policy is applied at bootup, while the user section is applied at login. Domain policies take precedence over local policies. Group policies override other settings when applied to subdirectories, such as OUs, but not domain account and password policies.