In Active Directory, Blog, Directory-as-a-Service (DaaS)

Microsoft Active Directory® (also known as AD) is a software solution that manages the creation, change, and termination of users on a company’s network. It was designed by Microsoft for Microsoft networks to administer security, policies, software updates. Typically, AD is deployed within a company’s network and sits on top of Windows server and is used in conjunction with a Domain Controller to create a “domain,” or a trusted network. AD is based on the open source LDAP protocol, and uses Kerberos. Over the past decade, AD has become the on-premise standard of user directories.

AD is built upon a hierarchical concept of forests, trees, and domains. The top-level of the hierarchy is forests, for example, a company. The next level is trees where a collection of domains can be grouped. For instance, a division of a large company would be a tree. Domain is the most discrete unit in this section of the product and is effectively a local site or group of users and devices. This hierarchy was a critical foundational element for AD as it was gaining popularity. However, as company boundaries shift and organizations change their views of on-premise networks, AD is saddled with a legacy approach to grouping users and devices, and, granting them appropriate access. Each user or device is considered an object and are the units that can be included in a domain. 

At a high level, AD has three critical capabilities: authentication, authorization, and management of users and devices.

Authentication

Active Directory stores an employee’s username and password inside a database. When a device attempts to connect to the network or a user accesses a device, the username and password is securely transmitted to AD to verify that the user’s credentials are correct. AD compares the username and hashed password with its internal database and returns whether there is a match or not.

Authorization

Beyond verifying credentials for a user, AD is able to grant access to specific applications within the network. For example, some employees may be allowed to access a Microsoft SharePoint server, while others may not. In this case, a user security group can be created in AD, and the SharePoint server configured to only allow employees in that particular group to gain access. Consequently, employees not in the proper group will not gain access to the server.

Management

A critical feature of AD is its ability to manage devices. This is done through a capability called Group Policy Objects (GPOs). Effectively, GPOs enable admins to execute a variety of tasks on employee devices. For instance, admins can enforce password policy settings, connect a user’s device to certain drives, set registry settings, and more. For savvy IT admins, GPOs end up being particularly helpful in controlling their device fleet. There are two types of GPOs, one for users, and one for systems. Systems GPOs contain items related to applying system configurations relating to networking software, security, startup, shutdown, and more, including:

  1. Software to install
  2. DNS configuration
  3. Startup/shutdown scripts
  4. Password aging and complexity
  5. Account lockout duration/thresholds
  6. Kerberos configuration
  7. Auditing policy and configuration
  8. User rights management (what users can do, e.g. setting their own time, installing apps, changing time zone, etc.)
  9. Security options, such as allowing/disallowing the use of USB sticks or CD-ROMs (among many, many things)
  10. Event log max sizes and retention
  11. Which services are allowed to run
  12. Specific registry settings
  13. Wired and wireless network policies (requiring 802.1X or not)
  14. Windows firewall configuration
  15. List of allowed networks
  16. Key management policies, including BitLocker unlock management, and trusted publishers and people
  17. Software restriction policies
  18. Microsoft NAP configuration (Network Access Protection)
  19. AppLocker (new with Windows 8/2012), the ability to prevent malicious software, unauthorized apps, and implement application control policies on a per user/machine basis
  20. AD security policies
  21. Network QoS configuration (quality of service)

User GPOs (as opposed to system GPOs) apply settings to single users or groups of users and contain settings focused on controlling and providing a consistent user experience, including:

  1. Software to install
  2. Login/logoff scripts
  3. Public key policies
  4. Software installation restrictions
  5. Folder redirection (allowing an administrator to store common files on a file share, rather than on a local system account)
  6. Network QoS configuration (quality of service)
  7. Hiding/showing control panel items
  8. Control around desktop settings, such as desktop wallpaper, the ability to add, edit, delete, or disable items.
  9. Management of network connections
  10. Shared Folder configuration
  11. Start Menu layout and configuration
  12. Overall system management restrictions, such as the ability to install drivers, access the task manager, manage power settings, and more.
  13. Management of Windows components such as new Windows 8.1 features, desktop gadgets, the window manager, file explorer, and much more
  14. IE and network privacy and security settings

Future Developments: What’s in Store for Directories?

As the industry moves to a cloud-based Directory-as-a-Service (or DaaS), an obvious question emerges: How will new-aged cloud directory services impact the age-old Active Directory?

The simple answer is: it will enhance it, simplify it, make it more secure, easier to manager, and ultimately replace it. But let’s explore why.

AD is a standard for Microsoft-centric organizations. It is tightly tied to Windows, the Domain Controller, and other Microsoft applications such as Exchange. As organizations move to cloud-based services, such as Google Apps and Office 365, and utilize other OSs and device types, the value of AD decreases. However, the ability to authenticate across your entire user population, authorize access to a variety of device and app types, and manage a cross-platform group of devices is critical. While AD can’t handle all of that, it has inspired Identity-as-a-Service platforms that do.

While AD is at the core of a number of organizations, Directory-as-a-Service related services are extending AD out to cloud infrastructure as well as other device types. Further, as some organizations move fully to the cloud, they are replacing AD with DaaS solutions.

Learn More About Active Directory and DaaS

If you would like to learn more about the differences between Active Directory and cloud directory services, drop us a note. Also, feel free to give JumpCloud® a try

Recent Posts