This section provides the architecture for the administration of Active Directory and thus the administration of the forest — the root domain and any future child domains.
A Windows Server 2003 domain is comprised of objects, the work they do, and the utility they provide to the domain. These objects are stored and administered to in Active Directory. Thus, access to and control over Active Directory objects — secured with permissions specifying authorized security principals (users and group accounts) — is what the network administrators are provided with to administer the domain.
Servers, workstations, and the file system are comprised of objects that are stored in local repositories. These are secured with security principals on the servers or workstations, which are stored in the local Security Accounts Manager (SAM). Local administrative accounts and groups have access to and rights over the local objects so that they can administer to these resources at both the local level and the domain level To administer the local objects with domain accounts, local groups are able to admit domain membership. The local Administrators group admits membership to the Domain Admins group, which is convenient, but also represents a security risk. The Windows Server 2003 built-in groups are listed in Table 12-1.
Table 12-1: Built-in (Default) Security Groups
Was this article helpful?