What is an Active Directory (AD) Object?
An Active Directory object is a distinct, identifiable item within the Active Directory database that represents a real-world resource in a Windows domain environment. These objects form the building blocks of the AD architecture.
Common Types of Active Directory Objects
- User Objects
Represent individual users in the domain. They store attributes like username, password, email address, phone number, and group memberships. - Computer Objects
Represent physical or virtual machines joined to the domain. They allow centralized management of security settings and permissions. - Group Objects
Used to collect users, computers, or other groups into manageable units. Groups simplify permission management. - Organizational Units (OUs)
Logical containers used to group objects (like users or computers) for easier administration and application of Group Policies. - Printers and Shared Resources
Represent network printers and other shared hardware or file resources. - Service Accounts
Special user accounts created to run services and applications securely. - Contacts
Store information about people outside the organization and can be used in distribution groups.
Object Attributes
Each AD object has a set of attributes stored in the schema. Attributes describe details about the object. For example:
- A user object might have:
sAMAccountName,mail,memberOf,lastLogon - A computer object might have:
dNSHostName,operatingSystem,lastLogonTimestamp
Distinguished Name (DN)
Every AD object has a Distinguished Name (DN), which is its unique path in the directory hierarchy.
Example:
CN=John Smith,OU=Sales,DC=example,DC=com
This means the user John Smith is located in the Sales OU of the example.com domain.
Security and Permissions
AD objects are subject to Access Control Lists (ACLs), which define who can read, modify, or manage them. This allows fine-grained control over access and delegation.