1.3 Overview

The goal of this protocol is to enable IT administrators and end users to manage users, groups, and computers. IT administrators and their delegates generally have full access control to these entities, and consequently can manage the entities' life cycles. End users are allowed to make changes to their own data (in most cases, limited to just their passwords).

This protocol achieves its goal by enabling the creation, reading, updating, and deleting of security principal information. These security principals could be in any account store. Windows implements this protocol, for example, in a directory service (Active Directory) and in a computer-local security account database. In this specification, normative differences in the protocol between these two cases are indicated by referring to the configuration of the server as a "DC" or "non-DC" configuration, respectively, where "DC" stands for domain controller (DC).

It is helpful to consider the following two perspectives when understanding and implementing this protocol:

  • Object-based perspective (see section 1.3.1)

  • Method-based perspective (see section 1.3.2)