Introduction

All network access begins with one thing: a user account. You can grant network access to an individual user account, or to a group object that contains multiple accounts; whether it s a user or a group object, anything that you use to assign permissions is called a security principal. You will use security principals on your network to assign permissions to network resources such as file shares and folders, and rights assignments such as Log on interactively and Backup files and folders. The total combination of rights and permissions assigned to a user account, along with any permissions assigned to groups that the user is a member of, defines what a user can and cannot do when working on a network.

Given the importance of user accounts, then, it stands to reason that securing the directory that houses your user database information should be one of the primary goals of your security design plan. Imagine, for example, that you ve been asked to restrict access to a certain file to only your company s Senior Directors. What you re being asked to do here is twofold: to restrict who has access to the file, and to protect who has access to the accounts being used by the Senior Directors. If a Senior Director s username and password were compromised, then an unauthorized user would be able to access this confidential file. It is important to understand the potential risks to the Active Directory database, and to design your Active Directory user accounts...