Was this page helpful?
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

1.1 Glossary

The following terms are specific to this document:

64-bit Network Data Representation (NDR64): A specific instance of a remote procedure call (RPC) transfer syntax. For more information about RPC transfer syntax, see [C706] section 14.

access check: A verification to determine whether a specific access type is allowed by checking a security context against a security descriptor.

access control entry (ACE): An entry in an access control list (ACL) that contains a set of user rights and a security identifier (SID) that identifies a principal for whom the rights are allowed, denied, or audited.

access mask: A 32-bit value present in an access control entry (ACE) that specifies the allowed or denied rights to manipulate an object.

account: A user (including machine account), group, or alias object. Also a synonym for security principal or principal.

account domain: A domain, identified by a security identifier (SID), that is the SID namespace for which a given machine is authoritative. The account domain is the same as the primary domain for a domain controller (DC) and is its default domain. For a Windows machine that is joined to a domain, the account domain is the SID namespace defined by the local Security Accounts Manager [MS-SAMR].

account domain object (account domain): A domain object that represents an issuing authority in which user objects can be created. For more information about the concept of an issuing authority, see [MS-AUTHSOD] section

account domain security identifier: The security identifier (SID) of the account domain object.

account group: A group object whose members always include the security identifier (SID) of the group in the authorization context.

AccountOperatorsSid: A SID with the specific value of S-1-5-32-548.

ACID: A term that refers to the four properties that any database system must achieve in order to be considered transactional: Atomicity, Consistency, Isolation, and Durability [GRAY].

Active Directory: A general-purpose network directory service. Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). [MS-ADTS] describes both forms. For more information, see [MS-AUTHSOD] section, Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS.

AdministratorSid: A SID with the specific value of S-1-5-32-544.

alias: An alternate name that can be used to reference an object or element.

alias object: See resource group.

built-in domain: The security identifier (SID) namespace defined by the fixed SID S-1-5-32. Contains groups that define roles on a local machine such as Backup Operators.

control access right: An extended access right that can be granted or denied on an access control list (ACL).

database object: A representation of a named set of attribute value pairs that a protocol exposes.

delta time: A negative FILETIME. It represents a period of time, expressed in a negative number of 100-nanosecond time slices. For example, a period of 20 minutes is represented as -12000000000.

discretionary access control list (DACL): An access control list (ACL) that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.

domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication (2) of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section and [MS-ADTS].

domain admins: A group with a security identifier (SID) with the relative ID value of 512 in the account domain.

domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DS DC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section and [MS-ADTS]. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDS DCs can run on one server. When Active Directory is operating as AD DS, only one AD DS DC can run on one server. However, several AD LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC contains full NC replicas of the config NC and the schema NC in its forest. The domain controller is the server side of Authentication Protocol Domain Support [MS-APDS].

domain functional level: A specification of functionality available in a domain. Must be less than or equal to the DC functional level of every domain controller (DC) that hosts a replica of the domain's naming context (NC). For information on defined levels, corresponding features, information on how the domain functional level is determined, and supported domain controllers, see [MS-ADTS] sections and When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), domain functional level does not exist.

domain object: A database object that represents an issuing authority as specified in [MS-AZOD] section An account is said to be "in" a particular domain if the domain prefix of its security identifier (SID) is the SID of the particular domain.

domain prefix: A security identifier (SID) of a domain without the relative identifier (RID) portion. The domain prefix refers to the issuing authority SID. For example, the domain prefix of S-1-5-21-397955417-626881126-188441444-1010 is S-1-5-21-397955417-626881126-188441444.

fully qualified domain name (FQDN): In Active Directory, a fully qualified domain name (FQDN) that identifies a domain.

globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).

group: A named collection of users who share similar access permissions or roles.

group object: A database object that represents a collection of user and group objects and has a security identifier (SID) value.

LM hash: A DES-based cryptographic hash of a cleartext password. See LMOWFv1, as specified in [MS-NLMP] section 3.3.1 (NTLM v1 Authentication), for a normative definition.

machine account: An account that is associated with individual client or server machines in an Active Directory domain.

NDR64: See 64-bit Network Data Representation (NDR64).

Network Data Representation (NDR): A specification that defines a mapping from Interface Definition Language (IDL) data types onto octet streams. NDR also refers to the runtime environment that implements the mapping facilities (for example, data provided to NDR). For more information, see [MS-RPCE] and [C706] section 14.

NT hash: An MD4- or MD5-based cryptographic hash of a clear text password. For more information, see [MS-NLMP] section 3.3.1 (NTOWFv1, NTLM v1 Authentication), for a normative definition.

OEM code page: See original equipment manufacturer (OEM) code page.

original equipment manufacturer (OEM) code page: A code page used to translate between non-Unicode encoded strings and UTF-16 encoded strings.

primary domain controller (PDC): A domain controller (DC) designated to track changes made to the accounts of all computers on a domain. It is the only computer to receive these changes directly, and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC.

RC4: A variable key-length symmetric encryption algorithm. For more information, see [SCHNEIER] section 17.1.

read-only domain controller (RODC): A domain controller (DC) that does not accept originating updates. Additionally, an RODC does not perform outbound replication. An RODC cannot be the primary domain controller (PDC) for its domain.

relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the distinguished name (DN) of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston". For more information, see [RFC2251].

relative identifier (RID): The last item in the series of SubAuthority values in a security identifier (SID) [SIDD]. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same RID.

resource group: A group object whose membership is added to the authorization context only if the server receiving the context is a member of the same domain as the resource group.

RPC transfer syntax: A method for encoding messages defined in an Interface Definition Language (IDL) file. Remote procedure call (RPC) can support different encoding methods or transfer syntaxes. For more information, see [C706].

salt: An additional random quantity, specified as input to an encryption function that is used to increase the strength of the encryption.

security descriptor: A data structure containing the security information associated with a securable object. A security descriptor identifies an object's owner by its security identifier (SID). If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. Applications use this structure to set and query an object's security status. The security descriptor is used to guard access to an object as well as to control which type of auditing takes place when the object is accessed. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called SDDL, is specified in [MS-DTYP] section 2.5.1.

security identifier (SID): An identifier for security principals in Windows that is used to identify an account or a group. Conceptually, the SID is composed of an account authority portion (typically a domain) and a smaller integer representing an identity relative to the account authority, termed the relative identifier (RID). The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of SIDs is specified in [MS-DTYP] section 2.4.2 and [MS-AZOD] section

security principal: A unique entity that is identifiable through cryptographic means by at least one key. It frequently corresponds to a human user, but also can be a service that offers a resource to other security principals. Also referred to as principal.

server object: The database object in the account domain with an object class of samServer.

system access control list (SACL): An access control list (ACL) that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.

token: A set of rights and privileges for a given user.

UAS Compatibility: A configuration mode that affects protocol behavior constraints specified in this document. "UAS" is the acronym for "User Account Security (Database)" and refers to products no longer supported, such as Microsoft NT LAN Manager. The default setting in Windows is "off".

universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object g is a universal group if and only if GROUP_TYPE_UNIVERSAL_GROUP is present in g! groupType. A security-enabled universal group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a universal group cannot be created in that domain. See also domain local group, security-enabled group.

universally unique identifier (UUID): A 128-bit value. UUIDs can be used for multiple purposes, from tagging objects with an extremely short lifetime, to reliably identifying very persistent objects in cross-process communication such as client and server interfaces, manager entry-point vectors, and RPC objects. UUIDs are highly likely to be unique. UUIDs are also known as globally unique identifiers (GUIDs) and these terms are used interchangeably in the Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the UUID. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the UUID.

user: The real person who has a member account. The user is authenticated by being asked to prove knowledge of the secret password associated with the user name.

user object: An object of class user. A user object is a security principal object; the principal is a person or service entity running on the computer. The shared secret allows the person or service entity to authenticate itself, as described in ([MS-AUTHSOD] section

user profile: A collection of properties that pertain to a specific person or entity within a portal site.

WorldSid: A SID with the specific value of S-1-1-0.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.

© 2015 Microsoft