3 A

abort request: An action that a participant performs to force a transaction to reach an abort outcome.

abstract class: See abstract object class.

abstract object class: An object class whose only function is to be the basis of inheritance by other object classes, thereby simplifying their definition.

Abstract Syntax Notation One (ASN.1): A notation to define complex data types to carry a message, without concern for their binary representation, across a network. ASN.1 defines an encoding to specify the data types with a notation that does not necessarily determine the representation of each value. ASN.1 encoding rules are sets of rules used to transform data specified in the ASN.1 language into a standard format that can be decoded on any system that has a decoder based on the same set of rules. ASN.1 and its encoding rules were once part of the same standard. They have since been separated, but it is still common for the terms ASN.1 and Basic Encoding Rules (BER) to be used to mean the same thing; though this is not the case. Different encoding rules can be applied to a given ASN.1 definition. The choice of encoding rules used is an option of the protocol designer.

acceptor: A participant that receives a session or connection request. This role is also known as the "subordinate."

access check: A verification to determine whether a specific access type is allowed by checking a security context against a security descriptor.

access control entry (ACE): An entry in an access control list (ACL) that contains a set of user rights and a security identifier (SID) that identifies a principal for whom the rights are allowed, denied, or audited.

access control list (ACL): A list of access control entries (ACEs) that collectively describe the security protections that apply to an object.

access mask: A 32-bit value present in an access control entry (ACE) that specifies the allowed or denied rights to manipulate an object.

access point: A network access server (NAS) implementing 802.11.

access profile: A set of configuration data for a network access server (NAS) to determine the level of service to provide to an endpoint. This configuration data is sent from the RADIUS server to the network access server (NAS) as a set of RADIUS attributes.

access type: An action defined for access such as "read", "write", "full control", control access right "x", and so on. Used in security descriptors.

account: A user, group, or alias object.

account domain: A domain, identified by a security identifier (SID), that is the SID namespace for which a given machine is authoritative. The account domain is the same as the primary domain for a domain controller (DC) and is its default domain. For a Windows machine that is joined to a domain, the account domain is the SID namespace defined by the local Security Accounts Manager [MS-SAMR].

account domain object (account domain): A domain object that represents an issuing authority in which user objects can be created. For more information about the concept of an issuing authority, see [MS-SECO] section 2.5.

account domain security identifier: The security identifier (SID) of the account domain object.

account group: A group object whose members always include the security identifier (SID) of the group in the authorization context.

account object: An element of a Local Security Authority (LSA) policy database that describes the rights and privileges granted by the server to a security principal. The security identifier (SID) of the security principal matches that of the account object.

ACE: See access control entry (ACE).

acknowledgment (ACK): A signal passed between communicating processes or computers to signify successful receipt of a transmission as part of a communications protocol.

ACL: See access control list (ACL).

activation: The process of instantiating a DCOM object or class factory.

Active Directory: A general-purpose network directory service.

Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory first became available as part of Windows 2000 and is available as part of Windows 2000 Server products and Windows Server 2003 products, and planned for Windows Server 2008. Active Directory is not present in Windows NT 4.0 or in Windows XP. For more information, see [MS-SECO] section 2.5.2 and [MS-ADTS].

Active Directory domain: A domain hosted on Active Directory. For more information, see [MS-ADTS].

Active Directory Domain Services: See Active Directory.

Active Directory Domain Services is a new term that is replacing the phrase "Active Directory" in the Windows Server 2008 project.

Active Directory object: A distinct set of named attributes that represent a network resource. File Replication Service (FRS) uses Active Directory objects to represent servers that participate in replica sets and the topology that FRS uses to replicate data.

Active Directory replication: The process by which the changes that are made to Active Directory objects on one domain controller (DC) are automatically synchronized with other DCs.

Active Directory schema: The Microsoft Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest. The schema also contains formal definitions of every attribute that can exist in an Active Directory object.

Active Directory table (ADT): A database of domain information, as specified in [MS-ADTS].

active node: A node that is currently successfully executing the implementation-specific server-to-server protocols that constitute participation in a cluster.

active partition: A partition on a master boot record (MBR) disk that becomes the system partition at system startup if the BIOS is configured to select that disk for boot. A MBR disk can have exactly one active partition. This attribute is stored within the partition table on the disk.

active volume: See active partition.

AD: See Active Directory.

AddRef: The process of calling the second IUnknown method (IUnknown::ADDref()) on an object. For more information, see [MS-DCOM].

administrative plug-in GUID: See tool extension GUID.

administrative template: A file associated with a Group Policy object (GPO) that combines information on the syntax of registry-based policy settings with human-readable descriptions of the settings, as well as other information.

administrative tool: A tool that allows administrators to read and write policy settings to and from a Group Policy object (GPO).

administrator: A user who has complete and unrestricted access to the computer/domain.

administrator in Admin Approval Mode or Consent Admin: A user mode in which administrators are prompted for permission before allowing an administrative task to be performed. Also referred to as a "Consent Admin."

administrators: An alias object with the security identifier (SID) S-1-5-32-544.

Advanced Encryption Standard (AES): A block cipher that supersedes the Data Encryption Standard (DES). AES is used in symmetric-key cryptography and is also known as the Rijndael symmetric encryption algorithm.

Advanced Systems Format (ASF): The file format used by Windows Media.

advertise: To publish descriptive identifying information in a name service.

advertised: An installation state of an application on a client computer. An advertised application is one that does not have all of the binaries and files necessary for executing the application present on the computer, but does have metadata on the client that allows it to present the application to the user as if all the files were present and also allows the client to install all of the missing files at a later time.

alias object: See resource group.

allocation unit size: The size (expressed in bytes) of the units used by the file system to allocate space on a disk for the file system used by the volume. The size, in bytes, must be a power of two and must be a multiple of the size of the sectors on the disk. Typical allocation unit sizes of most file systems range from 512 bytes to 64 KB.

alternate stream: See named stream.

ambiguous name resolution (ANR): A search algorithm that permits a client to search multiple naming-related attributes on objects by way of a single clause of the form "(anr=value)" in a Lightweight Directory Access Protocol (LDAP) search filter. This permits a client to query for an object when the client possesses some identifying material related to the object but does not know which attribute of the object contains that identifying material.

American National Standards Institute (ANSI) character set: Any character set defined by a code page approved by the American National Standards Institute (ANSI). The term "ANSI" as used to signify Windows code pages is an historical reference and a misnomer that persists in the Windows community. The source of this misnomer stems from the fact that the Windows code page 1252 was originally based on an ANSI draft, which became International Organization for Standardization (ISO) Standard 8859-1. For example, "ANSI application" is usually a reference to a non-Unicode or code-page-based application. Therefore, "ANSI character set" is often misused to refer to one of the character sets defined by a Windows code page that can be used as an active system code page, for example character sets defined by code page 1252 or character sets defined by code page 950. Windows is now based on Unicode, so the use of ANSI character sets is strongly discouraged unless they are used to interoperate with legacy applications or legacy data.

ancestor object: An object A is an ancestor of object O if there is a directed path from A to O (in other words, A is on the path from O to the root of the tree containing O).

anonymous authentication: An authentication mode in which neither party verifies the identity of the other party.

anonymous session: A session created for an anonymous user.

anonymous user: A user who presents no credentials when identifying himself or herself. The process for determining an anonymous user can differ based on the authentication protocol, and the documentation for the relevant authentication protocol should be consulted.

anywhere access gateway: A network access server (NAS) that provides remote connectivity to a network.

AP exchange: See Authentication Protocol (AP) Exchange.

application: A participant that is responsible for beginning, propagating, and completing an atomic transaction. An application communicates with a transaction manager in order to begin and complete transactions. An application communicates with a transaction manager in order to marshal transactions to and from other applications. An application also communicates in application-specific ways with resource manager in order to submit requests for work on resources.

application advertise script: A file that contains a sequence of installation operations and configuration data for installing an application on a client machine. The installer follows the installation operations in the file and configures the metadata of the application to match the state information specified in the script.

application configuration file (ACF): A supplemental file that accompanies an Interface Definition Language (IDL) specification, and is used to specify stub processing rules. For more information, see "The Attribute Configuration Source" in Part 2 of [C706] and [MS-RPCE].

Application Desktop Toolbar: A window (anchored to an edge of the screen) that is similar to the taskbar and that typically contains buttons that give the user quick access to other applications and windows.

Application NC: A specific type of naming context (NC), or an instance of that type, that supports only full replicas (no partial replicas). An application NC cannot contain security principal objects. An application NC can contain dynamic objects; no other type of NC can. A forest can have zero or more application NCs. Application NCs do not appear in the global catalog (GC). The root of a domain NC is an object of class domainDns.

application protocol: A network protocol that visibly accomplishes the task that the user or other agent wants to perform. This is distinguished from all manner of support protocols: from Ethernet or IP at the bottom, to security and routing protocols. While necessary, these are not always visible to the user. Application protocols include, for instance, HTTP and Server Message Block (SMB).

ASCII: The American Standard Code for Information Interchange (ASCII) is an 8-bit character encoding scheme based on the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that work with text. In this specification, all references to ASCII refer to a single 8-bit ASCII character or an array of 8-bit ASCII characters with the high bit of each character set to zero. In this specification, when arrays of ASCII characters are defined, details are included that indicate if the array of ASCII characters are null-terminated.

AS exchange: See Authentication Service (AS) exchange.

ASN.1: Abstract Syntax Notation One. ASN.1 is used to describe Kerberos datagrams as a sequence of components, sent in messages. ASN.1 is described in the following specifications: [ITUX660] for general procedures; [ITUX680] for syntax specification, and [ITUX690] for the Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER) encoding rules.

Note  There is a charge to download these documents.

assigned application: An application that is to be installed at computer startup or user logon.

atomic transaction: A shared activity that provides mechanisms for achieving the atomicity, consistency, isolation, and durability (ACID) properties when state changes occur inside participating resource managers.

attribute: (1) A characteristic of some object or entity, typically encoded as a name-value pair.

(2) (A specialization of the pervasive concepts definition). An identifier for a single or multi-valued data element that is associated with a directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (e-mail addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.

attribute syntax: Specifies the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object. Attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), Object(DS-DN), and String(Unicode).

AttributeId: An OID-valued attribute of each attributeSchema object in the schema naming context (NC). In many Lightweight Directory Access Protocol (LDAP) directory implementations, the attributeId is the standard internal representation of an attribute. In the directory model used in this specification, the more familiar ldapDisplayName of an attributeSchema object represents an attribute.

AttributeStamp: The type of a stamp attached to an attribute.

Augmented Backus-Naur Form (ABNF): A modified version of Backus-Naur Form (BNF), commonly used by Internet specifications. ABNF notation balances compactness and simplicity with reasonable representational power. ABNF differs from standard BNF in its definitions and uses of naming rules, repetition, alternatives, order-independence, and value ranges. For more information, see [RFC4234].

Authenticated IP (AuthIP): An Internet Key Exchange (IKE) protocol extension. AuthIP is specified in [MS-AIPS].

authenticated users: A built-in security group specified in [MS-SECO] whose members include all users that can be authenticated by a computer.

authentication: (1) The ability of one entity to determine the identity of another entity.

(2) The act of proving an identity to a server while providing key material that binds the identity to subsequent communications.

authentication header (AH): An Internet Protocol Security (IPsec) encapsulation mode that provides authentication and message integrity. For more information, see [RFC4302] section 1.

authentication level: A numeric value indicating the level of authentication or message protection that remote procedure call (RPC) will apply to a specific message exchange. For more information, see [C706] section and [MS-RPCE].

authentication mode: One of several modes in which an authentication exchange may be performed.

Authentication Protocol (AP) exchange: The Kerberos sub-protocol called the "authentication protocol," sometimes referred to as the "Client/Server Authentication Exchange," in which the client presents a service ticket and authenticator to a service to establish an authenticated communication session with the service. The protocol is specified in [RFC4120] section 3.2.

authentication server: An entity that provides authentication services to authenticators so these services do not have to be implemented by the authenticators.

Authentication Service (AS): A service that issues ticket granting tickets (TGTs), which are used for authenticating principals within the realm or domain served by the authentication service.

Authentication Service (AS) exchange: The Kerberos sub-protocol in which the authentication service component of the key distribution center (KDC) accepts an initial logon or authentication request from a client and provides the client with a ticket granting ticket (TGT) and necessary cryptographic keys to make use of the ticket. This is specified in [RFC4120] section 3.1. The AS exchange is always initiated by the client, usually in response to the initial logon of a principal such as a user.

authentication type: A numeric identifier that uniquely identifies a security provider.

authenticator: (1) The entity requesting the authentication of a peer.

(2) A protocol message or data structure within a message that carries authentication information.

(3) When used in reference to the Netlogon Protocol, the data stored in the NETLOGON_AUTHENTICATOR structure.

(4) When used in reference to Kerberos, see Kerberos Authenticator.

AuthIP: See Authenticated IP (AuthIP).

authorization: The secure computation of roles and accesses granted to an identity.

authorization context: The set of identities for groups and the identity of the user made available to a server for the purposes of determining authorization to a resource.

authorization data: An extensible field within a Kerberos ticket, used to pass authorization data about the principal on whose behalf the ticket was issued to the application service.

auxiliary class: An object class that cannot be instantiated in the directory but that may be associated with an abstract or structural object class to add its attributes to that abstract or structural class.

auxiliary object class: An object class that can be instantiated on, or removed from, an existing object.

AV pair: Attribute/value pair. The name of some attribute, along with its value. AV pairs in NT LAN Manager (NTLM) have a structure specifying the encoding of the information stored in them.