Glossary
A
An entry within an access control list that grants or denies permissions to users or groups for a given resource.
Contains a set of access control entries that define an object’s permission settings. ACLs enable administrators to explicitly control access to resources.
The Windows Server 2003 directory service that replaces the antiquated Windows NT domain structure. Active Directory forms the basis for centralized network management on Windows Server 2003 networks, providing a hierarchical view of network resources.
Active Directory Application Mode (ADAM)
A standalone mode of Active Directory that enables organizations to use directory-enabled applications in their own directory, with their own schema, independently of the main corporate Active Directory database.
Active Directory Federation Services (ADFS)
A new setoff technology in Windows Server 2003 R2 that enables partner companies to access Active Directory resources across the Internet in a trusted manner, without having to have user accounts in the resource domain.
Active Directory Service Interfaces (ADSI)
A directory service model implemented as a set of COM interfaces. ADSI allows Windows applications to access Active Directory, often through ActiveX interfaces such as VBScript.
Active Directory Users and Computers
The primary systems administrator utility for managing users, groups, and computers in a Windows Server 2003 domain, implemented as a Microsoft Management Console (MMC) snap-in.
A partitioned section of Active Directory that is replicated only to specified domain controllers. Application data partitions are used by applications to store their application-specific data.
Through the Software Installation utility in Group Policy, administrators can assign applications to users and computers. Assigned applications are always available to the user, even if the user attempts to uninstall them. Applications assigned to a computer will automatically be installed on the next restart.
Occurs when one task waits until another is finished before beginning. This is typically associated with scripts, such as a user logon script not running before the computer startup script has completed. This is the default behavior in Windows Server 2003.
The basic unit of an object, an attribute is a single property contained in the schema that through its values defines the object. For example, an attribute of a standard user account is the account name.
A security process that tracks the usage of selected network resources, typically storing the results in a log file.
The process by which a user’s logon credentials are validated by a server so that access to a network resource can be granted or denied.
B
Backup Domain Controller (BDC)
A Windows NT 3.x or 4.0 server that contains a backup read-only copy of the domain security accounts manager (user account and security information). BDCs take the load off the primary domain controller (PDC) by servicing logon requests. Periodic synchronizing ensures that data between the PDC and BDCs remains consistent.
A term associated with performance monitoring, a baseline is the initial result of monitoring typical network and server performance under a normal load, and all future results are measured against the baseline readings. A baseline will typically have performance readings for the processor(s), memory, disk subsystem, and network subsystem.
The contact point for the exchange of directory information between Active Directory sites.
C
A trusted authority either within a network or a third-party company that manages security credentials so that it guarantees that the user object holding a certificate is who it claims to be.
Indicates the location of the last information successfully written from the transaction logs to the database. In a data-recovery scenario, the checkpoint file indicates where the recovery or replaying of data should begin.
When a log file fills up, it is overwritten with new data rather than a new log file being created. This conserves disk space but can result in data loss in a disaster-recovery scenario.
The portion of a Group Policy Object that allows for computer policies to be configured and applied.
An Active Directory object stored on domain controllers that is used to represent inbound replication links. Domain controllers create their own connection objects for intrasite replication through the Knowledge Consistency Checker (KCC), whereas only a single domain controller in a site creates connection objects for inter-site replication, through the Intersite Topology Generator.
An object in Active Directory that is capable of holding other objects. An example of a container would be the Users organizational unit in Active Directory Users and Computers.
The process of stabilization after network changes occur. Often associated with routing or replication, convergence ensures each router or server contains consistent information.
The metrics used in performance monitoring, counters are what you are actually monitoring. An example of a counter for a CPU object would be %Processing Time.
D
The command-line utility used to promote a Windows Server 2003 system to a domain controller. DCPROMO could also be used to demote a domain controller to a member server.
The process of offloading the responsibility for a given task or set of tasks to another user or group. Delegation in Windows Server 2003 usually involves granting permission to someone else to perform a specific administrative task such as creating computer accounts.
A database that contains any number of different types of data. In Windows Server 2003, the Active Directory is a database that contains information about objects in the domain, such as computers, users, groups, and printers.
Provides the methods of storing directory data and making that data available to other directory objects. A directory service makes it possible for users to find any object in the directory given any one of its attributes.
Makes data within Active Directory accessible to applications that want it, acting as a liaison between the directory database and the applications.
An administrative disk space limitation set on the server storage space, on a per volume basis, that can be used by any particular user.
The name that uniquely identifies an object. A distinguished name is composed of the relative distinguished name, the domain name, and the container holding the object. An example would be CN=WWillis, CN=Inside-Corner, CN=COM. This refers to the WWillis user account in the inside-corner.com domain.
A Windows Server 2003 service that allows resources from multiple server locations to be presented through Active Directory as a contiguous set of files and folders, resulting in more ease of use of network resources for users.
An Active Directory group of user accounts, or other groups, that is used strictly for email distribution. A distribution group cannot be used for granting permissions to resources. That type of group is called a security group.
A logical grouping of Windows Server 2003 computers, users, and groups that share a common directory database. Domains are defined by an administrator.
A server that is capable of performing authentication. In Windows Server 2003, a domain controller holds a copy of the Active Directory database.
Windows Server 2003 domains can operate at one of four functional levels: Windows 2000 mixed mode, Windows 2000 native mode, Windows Server 2003 interim level, or Windows Server 2003 functional level. Each functional level has different tradeoffs between features and limitations.
A domain local group can contain other domain local groups from its own domain, as well as global groups from any domain in the forest. A domain local group can be used to assign permissions for resources located in the same domain as the group.
A hierarchical name-resolution system that resolves hostnames into IP addresses, and vice versa. DNS also makes it possible for the distributed Active Directory database to function, by allowing clients to query the locations of services in the forest and domain.
One of the two forestwide Flexible Single Master Operations (FSMO) roles, the Domain Naming Master’s job is to ensure domain name uniqueness within a forest.
Dynamic Domain Name System (DDNS)
An extension of DNS that allows Windows 2000 and Windows XP Professional systems to automatically register their A records with DNS at the time they obtain an IP address from a DHCP server.
Dynamic Host Configuration Protocol (DHCP)
A service that allows an administrator to specify a range of valid IP addresses to be used on a network, as well as exclusion IP addresses that should not be assigned (for example, if they were already statically assigned elsewhere). These addresses are automatically given out to computers configured to use DHCP as they boot up on the network, thus saving the administrator from having to configure static IP addresses on each individual network device.
E
A special certificate issued by a CA that grants the owner of the certificate the authority to enroll users into advanced security and issue certificates on behalf of the users.
This station is the physical workstation or server where the enrollment agent certificate is installed and used by the authorized person to enroll users and issue certificates.
Extensible Storage Engine (ESE)
The Active Directory database engine, ESE is an improved version of the older Jet database technology. The ESE database uses the concept of discrete transactions and log files to ensure the integrity of Active Directory. Each request to the DSA to add, modify, or delete an object or attribute is treated as an individual transaction. As these transactions occur on each domain controller, they are recorded in a series of log files that are associated with each Ntds.dit file.
A trust relationship created between a Windows Server 2003 Active Directory domain and a Windows NT 4 domain, or between Active Directory domains in different forests.
F
File Replication Service (FRS)
A service that provides multimaster replication between specified domain controllers within an Active Directory tree.
A standard TCP/IP utility that allows for the transfer of files from an FTP server to a machine running the FTP client.
A hardware and software security system that functions to limit access to network resources across subnets. Typically, a firewall is used between a private network and the Internet to prevent outsiders from accessing the private network and limiting what Internet services users of the private network can access.
A namespace that cannot be partitioned to produce additional domains. Windows NT 4 and earlier domains were examples of flat namespaces, in contrast to the Windows Server 2003 hierarchical namespace.
Flexible Single Master Operations (FSMO)
Five roles that are required by Windows Server 2003 not to follow the typical multimaster model, and instead are hosted on only a single domain controller in each domain, in the case of the Infrastructure Master, PDC Emulator, and RID Master, or on only a single domain controller in the forest, in the case of the Domain Naming Master and the Schema Master.
A Windows Server 2003 feature that allows special folders, such as My Documents, on local Windows XP Professional system hard drives to be redirected to a shared network location.
A grouping of Active Directory trees that have a trust relationship between them. Forests can consist of a noncontiguous namespace and, unlike domains and trees, do not have to be given a specific name.
The three forest functional levels are Windows 2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000. When the forest functional level is raised to Windows Server 2003 interim or Windows Server 2003, advanced forestwide Active Directory features are available.
The first domain created in a forest.
A trust relationship established between two Active Directory forests.
A DNS name-resolution process by which a hostname is resolved to an IP address.
Fully Qualified Domain Name (FQDN)
A DNS domain name that unambiguously describes the location of the host within a domain tree. An example of an FQDN is the computer www.inside-corner.com.
A concept first introduced in Windows Server 2003 that determines what level of features and interoperability with other Windows operating systems is available in a domain or forest. In Windows 2000, functional levels were referred to as nodes.
G
Contains a partial replica of every Windows Server 2003 domain object within the Active Directory, enabling users to find any object in the directory. The partial replica contains the most commonly used attributes of an object, as well as information on how to locate a complete replica elsewhere in the directory, if needed.
The Windows Server 2003 server that holds the Global Catalog for the forest.
A global group can contain users from the same domain that the global group is located in, and global groups can be added to domain local groups to control access to network resources.
Globally Unique Identifier (GUID)
A hexadecimal number supplied by the manufacturer of a product that uniquely identifies the hardware or software. A GUID is in the form of eight characters, followed by three sets of four characters, followed by 12 characters. For example, {15DEF489-AE24-10BF-C11A-00BB844CE637} is a valid format for a GUID (braces included).
A command-line utility that displays information about the current effect Group Policy has had on the local computer and logged-in user account.
The Windows Server 2003 feature that allows for policy creation, which affects domain users and computers. Policies can be anything from desktop settings to application assignments to security settings and more.
The Microsoft Management Console (MMC) snap-in that is used to modify the settings of a Group Policy Object.
Group Policy Management Console (GPMC)
Available as a standalone download for Windows Server 2003 and included with Windows Server 2003 R2, the GPMC consolidates the administrative tasks of Group Policy into a single console for ease of management.
A collection of policies that apply to a specific target, such as the domain itself (Default Domain Policy) or an organizational unit (OU). GPOs are modified through the Group Policy Editor to define policy settings.
H
A namespace, such as with DNS, that can be partitioned out in the form of a tree. This allows great flexibility in using a domain name because any number of subdomains can be created under a parent domain.
I
The FSMO role that is responsible for receiving replicated changes from other domains within the forest and replicating these changes to all domain controllers within its domain. There is one Infrastructure Master per domain, and it also is responsible for tracking what Active Directory container an object is located in.
The process by which an object obtains settings information from a parent object.
Intersite Topology Generator (ISTG)
The Windows Server 2003 server that is responsible for evaluating and creating the topology for inter-site replication.
J
Technology that allows software features to be updated at the time they are accessed. Whereas in the past, missing application features had to be manually installed, JIT technology allows the features to be installed on-the-fly as they are accessed, with no other intervention required.
K
An Internet standard security protocol that has largely replaced the older LAN Manager user-authentication mechanism from earlier Windows NT versions.
Knowledge Consistency Checker (KCC)
A Windows Server 2003 service that functions to ensure consistent database information is kept across all domain controllers. It attempts to ensure that replication can always take place.
L
The delay that occurs in replication from the time a change is made to one replica and to the time that change is applied to all other replicas in the directory.
Lightweight Directory Access Protocol (LDAP)
The Windows Server 2003 protocol that allows access to Active Directory. LDAP is an Internet standard for accessing directory services.
A Group Policy that exists in one object and is linked to another object. Linked policies are used to reduce administrative duplication in applying the same policies to multiple OUs.
A network where all hosts are connected over fast connections (4MBps or greater for token ring; 10MBps or better for ethernet). LANs typically do not involve any outside data carriers (such as Frame Relay lines or T1 circuits) and are generally wholly owned by the organization.
A security group that exists on a local workstation or server and is used for granting permissions to local resources. Typically, global groups from a domain are placed inside a local group to gain access to resources on a local machine.
Objects that exist on the local Windows Server 2003 system. Site-, domain-, and OU-applied GPOs all take precedence over local GPOs.
M
A server that is a member of a domain but is not a domain controller. A Windows Server 2003 domain can have Windows NT, Windows 2000, and Windows Server 2003 member servers, regardless of the domain functional level.
Microsoft Management Console (MMC)
An extensible management framework that provides a common look and feel to all Windows Server 2003 utilities.
A server that has two or more network cards is said to be multihomed. This allows a server either to function as a router or to belong to more than one subnet simultaneously. Alternatively, multiple network adapters can be used for load balancing or fault tolerance.
A replication model in which any domain controller will replicate data to any other domain controller. This is the default behavior in Windows Server 2003. It contrasts with the single-master replication model of Windows NT 4, in which a PDC contained the master copy of everything and BDCs contained backup copies.
N
The process of resolving a hostname into a format that can be understood by computers. This is typically resolving a DNS name or NetBIOS name to an IP address, but could also be a MAC address on non-TCP/IP networks.
An application programming interface (API) used on Windows NT 4 and earlier networks by services requesting and providing name resolution and network data management.
Network Operating System (NOS)
A generic term that applies to any operating system with built-in networking capabilities. All Windows operating systems beginning with Windows 95 have been true network operating systems.
GPOs that are stored in Active Directory rather than on the local machine. These can be site-, domain-, or OU-level GPOs.
A TCP/IP utility used in troubleshooting DNS name-resolution problems.
A command-line utility that provides a number of Active Directory management functions.
The Windows NT/2000 file system that supports a much more robust feature set than either FAT16 or FAT32 (which is used on Windows 9x). It is recommended to use NTFS whenever possible on Windows Server 2003 systems.
O
A distinct entity represented by a series of attributes within Active Directory. An object can be a user, a computer, a folder, a file, a printer, and so on.
A number that uniquely identifies an object class or attribute. In the United States, the American National Standards Institute (ANSI) issues object identifiers, which take the form of an x.x.x.x dotted decimal format. Microsoft, for example, was issued the root object identifier of 1.2.840.113556, from which it can create further subobject identifiers.
A Windows Server 2003 domain controller that has been assigned one or more of the special Active Directory domain roles, such as Schema Master, Domain Naming Master, PDC Emulator, Infrastructure Master, and Relative Identifier (RID) Master.
An Active Directory container object that allows an administrator to logically group users, groups, computers, and other OUs into administrative units.
P
A collection of software compiled into a distributable form, such as a Windows Installer (.msi) package created with WinInstall.
parent-child trust relationship
The relationship whereby a child object trusts its parent object, and the parent object is trusted by all child objects under it. Active Directory automatically creates two-way transitive trust relationships between parent and child objects.
A new feature of Windows Server 2003 R2 that contributes to better Active Directory and UNIX interoperability by automatically synchronizing passwords between the two.
The process of modifying or updating software packages.
The domain-level FSMO role that serves to replicate data with Windows NT 4 BDCs in a domain, in effect functioning as an NT 4 PDC. The PDC emulator also provides time synchronization services for the domain.
A TCP/IP utility that tests for basic connectivity between the client machine running PING and any other TCP/IP host.
Settings and rules that are applied to users or computers, usually Group Policy in Windows Server 2003 and System Policy in Windows NT 4.
Rather than letting the KCC decide what server should be a bridgehead server, you can designate preferred bridgehead servers to be used if the primary goes down. Only one preferred bridgehead server can be active at a time.
Primary Domain Controller (PDC)
A Windows NT 4 (and earlier) server that contains the master copy of the domain database and the only writable copy of the database. PDCs authenticate user logon requests and track security-related changes within the domain.
Public Key Infrastructure (PKI)
An industry standard technology that allows for the establishment of secure communication between hosts based on a public key/private key or certificate-based system.
Through the Software Installation utility in Group Policy, administrators can publish applications to users. Published applications appear in Add/Remove Programs and can be optionally installed by the user.
R
A trust relationship in Windows Server 2003 that is created between an Active Directory domain and a UNIX realm.
A data repository on each computer that contains information about that computer’s configuration. The Registry is organized into a hierarchical tree and is made up of hives, keys, and values.
Relative Distinguished Name (RDN)
The part of a DNS name that defines the host. For example, in the FQDN www.inside-corner.com, www is the relative distinguished name.
The part of the security identifier (SID) that uniquely identifies an account or group within a domain.
A copy of any given Active Directory object. Each copy of an object stored on multiple domain controllers is a replica.
The process of copying data from one Windows Server 2003 domain controller to another. Replication is a process managed by an administrator and typically occurs automatically whenever changes are made to a replica of an object.
Official documents that specify Internet standards for the TCP/IP protocol.
Standard database record types used in DNS zone database files. Common types of resource records include Address (A), Mail Exchanger (MX), Start of Authority (SOA), and Name Server (NS), among others.
Resultant Set of Policy (RSoP)
A Windows Server 2003 Group Policy tool that lets you simulate the effects of Group Policies without actually implementing them. RSoP has two modes: logging mode and planning mode. Logging mode determines the resultant effect of policy settings that have been applied to an existing user and computer based on a site, domain, or organizational unit. Planning mode simulates the resultant effect of policy settings that are applied to a user and computer.
A business term that seeks to determine the amount of financial gain that occurs as a result of a certain expenditure. Many IT personnel today are faced with the prospect of justifying IT expenses in terms of ROI.
A DNS name-resolution process by which an IP address is resolved to a hostname.
The domain-level FSMO role that is responsible for managing pools of RIDs and ensuring that every object in the domain gets a unique RID.
A dedicated network hardware appliance or a server running routing software and multiple network cards. Routers join dissimilar network topologies (such as ethernet to Frame Relay) or simply segment networks into multiple subnets.
S
Measurement (often subjective) of how well a resource such as a server can expand to accommodate growing needs.
In Active Directory, a schema is a description of object classes and the attributes that the object classes must possess and can possess.
The Windows Server 2003 domain controller that has been assigned the Operations Master role to control all schema updates within a forest.
A type of group that can contain user accounts or other groups and can be used to assign levels of access (permissions) to shared resources.
A number that uniquely identifies a user, a group, or a computer account. Every account is issued one when created, and if the account is later deleted and re-created with the same name, it will have a different SID. After an SID is used in a domain, it can never be used again.
Collections of standard settings that can be applied administratively to give a consistent level of security to a system.
A new feature of Windows Server 2003 R2 that helps integrate Active Directory and UNIX by enabling an Active Directory domain controller to function as a UNIX NIS server.
A Windows Server 2003 trust relationship between two domains within the same forest. Shortcut trusts are used to reduce the path authentication needs to travel by directly connecting child domains.
A RIS component that combines duplicate files to reduce storage requirements on the RIS server.
Certain Active Directory operations that are allowed to occur in only one place at any given time (as opposed to being allowed to occur in multiple locations simultaneously). Examples of single-master operations include schema modifications, PDC elections, and infrastructure changes.
The ideal of having one username and password that works for everything on a network. Windows Server 2003 R2 features like Active Directory Federation Services bring this closer to reality than ever before.
A physical component of Active Directory. Sites are created for the purpose of balancing logon authentication with replication. They can have zero (in planning), one, or multiple IP subnets. These subnets should be well-connected with fast LAN links.
A connection between sites, a site link is used to join multiple locations together.
A collection of site links that helps Active Directory work out the cost of replicating traffic from one point to another within the network infrastructure that is not directly connected by a single site link. By default, all site links are bridged, but this can be disabled in favor of manually configured site link bridges.
A way for AD to determine what path to replicate traffic over on a routed network. The lower the cost, the more preferable it is for AD to use a particular site link. For example, if you have a T1 and an ISDN site link connecting the same sites, the T1 site link would have a lower cost than the ISDN site link, making it the preferred path for traffic.
A connection between sites that is not fast enough to provide full functionality in an acceptable time frame. Site connections below 512KBps are defined as slow links in Windows Server 2003.
A credit card–sized device that is used with an access code to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card.
A component that can be added or removed from a Microsoft Management Console (MMC) console to provide specific functionality. The Windows Server 2003 administrative tools are implemented as snap-ins.
A Group Policy component that allows administrators to optionally assign applications to be available to users and computers or publish applications to users.
Also called a static address, this is where a network device (such as a server) is manually configured with an IP address that doesn’t change rather than obtaining an address automatically from a DHCP server.
Implemented using the Extensible Storage Engine, a store is the physical storage of each Active Directory replica.
A collection of hosts on a TCP/IP network that are not separated by any routers. A basic corporate LAN with one location would be referred to as a subnet when it is connected by a router to another network, such as that of an Internet service provider.
Synchronous processing occurs when one task does not wait for another to complete before it begins. Rather, the two run concurrently. This is typically associated with scripts in Windows Server 2003, such as a user logon script running without waiting for the computer startup script to finish.
System Policies are Windows NT 4 Registry-based policy settings that have largely been replaced in Windows Server 2003 by Group Policy. System Policies can still be created using poledit.exe, however, for backward compatibility with non–Windows Server 2003 clients.
Systems Management Server (SMS)
A product in Microsoft’s BackOffice server line that provides more extensive software distribution, metering, inventorying, and auditing than what is possible strictly through Group Policy.
A shared folder on an NTFS partition on every AD domain controller that contains information (scripts, Group Policy info, and so on) that is replicated to other domain controllers in the domain. The SYSVOL folder is created during the installation of Active Directory.
T
TCP/IP (Transmission Control Protocol/Internet Protocol) is the standard protocol for communicating on the Internet and is the default protocol in Windows Server 2003.
The amount of time a packet destined for a host will exist before it is deleted from the network. TTLs are used to prevent networks from becoming congested with packages that cannot reach their destinations.
A change and control management concept that many IT professionals are being forced to become more aware of. TCO refers to the combined hard and soft costs (initial price and support costs) of owning a given resource.
An automatically created trust in Windows Server 2003 that exists between domain trees within a forest and domains within a tree. Transitive trusts are two-way trust relationships. Unlike with Windows NT 4, transitive trusts in Windows Server 2003 can flow between domains. This way, if Domain1 trusts Domain2, and Domain2 trusts Domain3, Domain1 automatically trusts Domain3.
A collection of Windows Server 2003 domains that are connected through transitive trusts and share a common Global Catalog and schema. Domains within a tree must form a contiguous namespace. A tree is contained within a forest, and there can be multiple trees in a forest.
U
An Active Directory security group that can be used anywhere within a domain tree or forest, the only caveat being that universal groups can be used only when an Active Directory domain has been converted to native mode.
A feature that can be used after a domain has been raised to the Windows Server 2003 functional level; universal group caching allows users in universal groups to log on without the presence of a GC server.
A 64-bit number that keeps track of changes as they are written to copies of the Active Directory. As changes are made, this number increments by one. Every attribute in Active Directory has a USN value.
The part of the user principle name (UPN) that comes after the @ symbol and is typically the domain name for a user account. Alternative UPN suffixes can be created to allow for improved logon security or simply shorter UPNs for users.
The portion of a Group Policy Object that allows for user policy settings to be configured and applied.
The full DNS domain name of an Active Directory user account that could be used for authentication purpose. An example of a UPN would be [email protected].
Contains settings that define the user environment, typically applied when the user logs on to the system.
W
A network that contains only fast connections between domains and hosts. The definition of “fast” is somewhat subjective and may vary from organization to organization.
Multiple networks connected by slow connections between routers. WAN connections are typically 1.5MBps or less.
Allows Windows NT 4 domain controllers to exist and function within a Windows Server 2003 domain. This is the default setting when Active Directory is installed, although it can be changed to native mode.
The mode in which all domain controllers in a domain have been upgraded to Windows Server 2003 and there are no longer any NT 4 domain controllers. An administrator explicitly puts Active Directory into native mode, at which time it cannot be returned to mixed mode without removing and reinstalling Active Directory.
Windows Internet Naming System (WINS)
A dynamic name-resolution system that resolves NetBIOS names to IP addresses on Windows TCP/IP networks. With Windows Server 2003, WINS is being phased out in favor of DNS, but it will be necessary to keep WINS in place as long as any legacy clients or applications on the network use it.
Windows Management Instrumentation (WMI)
A Windows Server 2003 management infrastructure for monitoring and controlling system resources.
Enables the running of VBScript or JavaScript scripts natively on a Windows system, offering increased power and flexibility over traditional batch files.
Windows Server 2003 functional level
The highest functional level of either the domain or forest in Windows Server 2003, this functional level implements all the new features of Windows Server 2003 Active Directory but at the expense of some backward compatibility.
An optional utility that ships with Windows Server 2003 and can be used to create Windows Installer packages.
A group of workstations and servers that are not networked within the concept of a domain. In other words, each machine maintains its own local accounts database and can be difficult to administer as the number of computers in the workgroup grows.
The Windows interface to Windows Script Host (WSH).
X
A set of standards developed by the International Standards Organization (ISO) that defines distributed directory services.