Export (0) Print
Expand All

1.1 Glossary

The following terms are defined in [MS-GLOS]:

64-bit Network Data Representation (NDR64)
access check
access control entry (ACE)
access control list (ACL)
access mask
account domain object (account domain)
account domain security identifier
account group
Active Directory
authorization context
built-in domain
control access right
database object
delta time
discretionary access control list (DACL)
domain admins
domain name (3)
domain object
domain prefix
fully qualified domain name (FQDN) (2)
globally unique identifier (GUID)
group object
mixed mode
native mode
Network Data Representation (NDR)
OEM code page
read-only domain controller (RODC)
relative identifier (RID)
RPC transfer syntax
security principal
security identifier (SID)
system access control list (SACL)
user profile
universally unique identifier (UUID)

The following terms are defined in [MS-ADTS]:

domain functional level
primary domain controller (PDC)
relative distinguished name (RDN)

The following terms are specific to this document:

account: A user (including machine account), group, or alias object.

AccountOperatorsSid: A SID with the specific value of S-1-5-32-548.

AdministratorSid: A SID with the specific value of S-1-5-32-544.

alias object: See resource group.

domain controller (DC): A server on which the Active Directory operating system directory service is installed and operating. It hosts the data store for objects and interoperates with other DCs to ensure that an originating change to an object replicates correctly across all DCs. For more information, see [MS-AUTHSOD] section

LM hash: A DES-based cryptographic hash of a cleartext password. See LMOWFv1, as specified in [MS-NLMP] section 3.3.1 (NTLM v1 Authentication), for a normative definition.

machine account: A user object that represents a computer (as opposed to an end user).

NT hash: An MD4-based cryptographic hash of a cleartext password. See NTOWFv1, as specified in [MS-NLMP] section 3.3.1 (NTLM v1 Authentication), for a normative definition.

resource group: A group object whose membership is added to the authorization context only if the server receiving the context is a member of the same domain as the resource group.

salt: A value consisting of random bits used to increase the complexity of dictionary attacks against secret data that is protected through cryptographic means. For details, see [MENEZES] section 10.2.1.

security descriptor: A policy expressing access control. For more information, see [MS-GLOS] section 20 and [MS-DTYP] sections 2.4.6 and 2.5.

server object: The database object in the account domain with an object class of samServer.

UAS Compatibility: A configuration mode that affects protocol behavior constraints specified in this document. "UAS" is the acronym for "User Account Security (Database)" and refers to products no longer supported, such as Microsoft NT LAN Manager. The default setting in Windows is "off".

universal group: Similar to an account group, with the distinction that a universal group may have members from any domain in the server's forest.

user object: A database object that represents a security principal, as described in [MS-AUTHSOD] section

WorldSid: A SID with the specific value of S-1-1-0. WorldSid is used in a default access control list (ACL).

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.

© 2015 Microsoft