Active Directory (AD) is a directory service/identity provider (IdP) that administrators use to connect users to Windows-based IT resources. It’s built into Windows Server and functions through Active Directory Domain Services (AD DS) to secure Windows-based systems and applications. AD DS stores information about network objects (e.g., users, groups, systems, networks, applications, digital assets, and many other items) and their relationship to one another.
This article focuses on users and how AD, via the AD DS server role, stores information that can be used for group management and flow into identity and access management (IAM) to access resources within the Windows domain. Integrations with open directory services such as JumpCloud and Azure AD can extend authentication to SaaS applications for single sign-on (SSO). JumpCloud also makes it possible to access network devices through other protocols, similar to the Network Policy Server (NPS) role for Windows, but without additional overhead.
AD’s user objects contain attributes that serve as entitlements to determine user permissions and make it possible for admins to query AD and produce compliance reports. Understanding how AD stores user information makes it easier to manage multiple domains, configure SSO (and complementary security controls) when it becomes necessary to access an external resource, or define information barriers. SSO breaks down identity silos and makes it possible to centralize your policies and controls with groups. However, that wouldn’t be possible if users aren’t decorated with the appropriate attributes, or attributes aren’t mapped to a cloud directory.
Object Classes Defined
First, some basic terminology:
User objects: User objects represent individuals within your organization who are a part of the domain. The user object resides within the higher level user class, and attributes determine what information each class can hold. This concept is called a Directory Information Tree (DIT). These concepts are outlined in more detail below.
Directory Service Tree: The DIT consists of the Distinguished Names (DNs) of directory service entries, a unique identifier that’s familiar to AD administrators and PowerShell users. For example, a DN makes it possible to execute a command on an object such as a user account. Microsoft uses “tree” as terminology for when multiple domains are grouped together; multiple trees form a forest, which can encapsulate multiple locations and IT teams. Organizational units (OUs) organize groups, users, and devices at all levels of the AD forest.
Object attributes: Object attributes define basic properties/information about them, such as first or last name. Attributes are essential to how the directory functions. Think of them as key-value pairs in a database that have predefined names so that Lightweight Directory Access Protocol (LDAP) can function as an open protocol in an IdP. A collection of attributes is an entry, such as an individual user in AD. Entries are differentiated from one another using their DN. Attributes can belong to multiple classes in AD, because the classScheme and attributeSchema are defined separately. Windows admins who have the schema master role can use the Schema Management Microsoft Management Console (MMC) snap-in to introduce custom attributes by registering schemas.
ObjectClasses: ObjectClasses are essentially a collection of attributes (a container). The LDAP standard uses directory schemas to define ObjectClasses and class hierarchy to store and retrieve data. Attributes that are associated with ObjectClasses are used to describe something, such as a person, so a person would fall within the user class type. ObjectClasses can also be an attribute that‘s used in directory search operations and reporting. ObjectClasses are outlined by the LDAP standard, which AD was built on, and fall into three categories:
- Abstract class: Recall the concept of object-oriented programming where abstractions make code reusable and extendable. It indicates the top of the inheritance chain in LDAP. The “top object” class, which serves as root classes for most other object classes, is a well-known example. Abstract classes are sub-classed entries that inherit attribute types, which make them useful as templates for creating new classes in AD. They create a common definition of a base class that multiple subclasses can share. The function is nearly identical to structural classes in AD, but objects that are instances of abstract classes aren’t instantiated within AD DS.
- Structural class: These classes outline where entries may occur in the DIT and what attributes are allowed. These are the only classes that have instances in AD DS.
- Auxiliary class: Auxiliary classes are included in the schema definition of all classes and list the attributes for an entry/class. They don’t define a core entry but establish the requisite characteristics. For instance, AD uses “Must-Contain” or “May-Contain” to mandate (or make optional) attributes when a class is created by governing its values. Active Directory’s technical specification supports statically linking auxiliary classes to the ClassSchema other object classes in order of inheritance from the top class. “securityPrincipal” is an example of an auxiliary class in Active Directory that Windows uses then to permit or deny entities (groups or users) rights to the operating system.
Note that AD has syntaxes, called DataType, that determine what type of data can be stored within an attribute. It can be a confusing topic because there may be more than one name for the same attribute in AD.
Common Active Directory Object Attributes
Active Directory stores attributes for applications, computers, printers, shared folders, and users. Think back to the AD user object. An organization would store attributes such as:
- First name
- Last name
AD object attributes make it possible to drill down into events to learn which user on which computer (by computer name) may have accessed a particular resource. This is possible because LDAP requires that every attribute has an LDAP name that can be used in queries.
Zero Trust Security
User attributes can also play a role in IAM for AD users, but not within Active Directory itself.
Access control within AD DS uses an access control entry (ACE) to grant or deny an object (such as a user or group) access to a resource. Attribute-based access control (ABAC) is a more modern approach that directories such as JumpCloud use to automate entitlements. For instance, a user that changes departments may no longer require access to an accounting system. AD DS would grant any user that belongs to a group access, despite organizational attributes having changed. AD creates higher administrative overhead and it doesn’t offer Zero Trust security, because attributes never challenge entries within the access control list (ACL). An ACL contains many different ACEs, which presents the risk of many outdated group memberships.
How to Find Active Directory Attributes
Admins can query AD from the Active Directory Users and Computer (ADUC) console, an add-on to MMC in Windows Server. It’s the go-to tool for managing objects and their attributes. There’s a hidden tab in ADUC called Active Directory Attribute Editor that lists all attributes and their corresponding values, including hidden attributes. Some attributes are marked confidential and values can be hidden from admins.
The Active Directory PowerShell module is part of the Remote Server Administration Tools (RSAT) for Windows and can be used as an alternative method by command line gurus. The Get-ADUser command is used in combination with filtering to return user properties.
Get-ADUser -Identity WorthingtonDavid -Properties *
Surname : David
Name : Worthington David
GivenName : David
Enabled : False
SamAccountName : WorthingtonDavid
ObjectClass : user
SID : S-2-6-31-47795136661-7810167215-4424248291-7722
ObjectGUID : 4bec018b-dbbc-4adc-8872-a6b182ac1e5d
DistinguishedName : CN=Worthington David,OU=NorthAmerica,OU=Marketing,OU=UserAccounts,DC=JUMPCLOUD,DC=COM
It’s also possible to use services that integrate with AD to review attributes and more, including managing access control to your web applications.
AD Attributes and JumpCloud
Your AD user attributes can become a useful element of your IAM strategy. JumpCloud’s groups utilize ABAC and can automate membership changes or make suggestions that admins can act on. JumpCloud also imports the preexisting group structures and memberships from AD. Additional user attributes may be imported from an HRIS system to align HR and IT operations.
JumpCloud’s ABAC establishes more mature entitlement management than AD with less administrative overhead. Group memberships can be combined with environment-wide multi-factor authentication (MFA) and conditional access for privileged users. The directory supports OIDC, RADIUS, LDAP, and SAML authentication methods with MFA everywhere.
AD attributes can be managed through JumpCloud when Windows domains are integrated with JumpCloud’s open directory. JumpCloud’s PowerShell Module will query all user attributes in addition to taking bulk actions to add, modify, or add custom attributes to AD.
Set-JCUser -username bobby.boy -NumberOfCustomAttributes 2 -Attribute1_name Department -Attribute1_value Dev -Attribute2_name Location -Attribute2_value Boulder
AD is otherwise maintained as the “system of record” for your attributes.
There are even more ways to capture your AD attributes within JumpCloud. The Directory Insights reporting tool captures telemetry, including user attributes. The Directory Insights API may also be used to review activity within your directory using other reporting tools.
One of the many benefits of AD integration is that JumpCloud’s Active Directory Integration (ADI) application will automatically import basic attributes from AD, including:
- First name
- Last name
- Password expiration
- Username (logon name in AD)
- User state
Changes made within AD will reflect in the JumpCloud tenant within 90 seconds.
Organizations that are also using Azure Active Directory (AAD) can perform bilateral attribute mapping with JumpCloud.
JumpCloud is free and fully functional for up to 10 users and 10 devices. Premium chat support is also available during the initial 10 days of your account. JumpCloud provides SSO, cloud RADIUS to manage access to network devices and Wi-Fi, cross-OS device management, and additional IT management features including a free Remote Assist tool, patch management for devices and browsers, and a password manager to keep your identities and resources safe.
JumpCloud also offers a multi-tenant portal for MSPs to remotely manage users and devices, and remotely troubleshoot IT issues. It integrates with MSP billing and operations services.
Need a helping hand importing your attributes? Reach out to [email protected] for assistance to determine which Professional Service option might be right for you.