In a business network, there may be dozens, hundreds, or even thousands of computers. It is desirable to allow users to access network resources from multiple computers attached to the network. By default, Windows allows computers to share resources by creating a workgroup. A workgroup is a simple peer-to-peer network in which all computers are treated as equals. A workgroup simply allows standalone computers to “see” each other’s shared resources. Common shared resources include files, folders, and printers. Each resource can be shared or hidden, and the access to each resource can be controlled by user and group permissions.

So far, workgroups sound good. The main problem with Windows workgroups is that each computer is still defined as a standalone computer. That means users and groups must be defined on multiple computers. In fact, if you want all users to have access on all computers in the workgroup, you have to add the local users on every computer. On small networks, this may seem OK at first, but maintenance can quickly get out of hand. Since all user and group accounts in a workgroup are local accounts, every change to security permissions must be applied to every computer. Administration of workgroups with more than a half dozen computers can quickly become too difficult to remain viable.

Microsoft offered a solution to local users and groups in the original Windows NT operating system. All Windows operating systems since Windows NT have the ability to share user and group definitions with other computers connected to the same network. Many operating systems support a generic capability to share such information, called directory services. This functionality has matured into a core Windows feature, called Active Directory. Instead of having to define users and groups locally on each computer, Active Directory allows users and groups to be defined once at a central location and shared among multiple computers. You get to define the limits of how many computers share users and groups by defining domains. A domain can be thought of as a group of computers that can be grouped together for some purpose. The actual database of shared users and groups is stored on one or more computers designated as domain controllers. This shared database makes it easy to maintain users, groups, and permissions in a central location. There are many more features of Microsoft Active Directory, but its main feature is the ability to define identity and authorization permission that can be shared among multiple computers within one or more domains. This capability greatly simplifies security administration in larger networks.

Implementing Active Directory requires more hardware for domain controller computers and network devices. It also requires additional administration time and resources to ensure shared information is protected and available in a timely fashion. In fact, securing Active Directory information ensures its confidentiality, integrity, and availability. An organization that uses Active Directory depends on the security of its information.

The main reason organizations invest in Active Directory resource requirements is not just to make users happy. While implementing a single sign-on capability is a huge benefit for users in a large organization, the real reason to implement Active Directory is to reduce redundant administrative effort. Securing resources across a network, or multiple networks, requires substantial administrative effort. The amount of redundant controls administrators must keep current opens opportunities for attacks on stale controls. Active Directory automates and centralizes many controls, making the entire environment more secure.

Unlike workgroup environments, a domain user or group definition is defined on the domain controller and its SID will be the same for all computers in the domain. In the workgroup environment, a local user named “Fred” may be defined on each computer, but the SID will be different on each one. Auditing Fred’s actions across multiple computers can be more difficult when trying to coordinate multiple SIDs. If the user named “Fred” is defined as a domain user instead, Fred’s SID will be stored in the domain controller and be shared with computers in the domain when needed. Fred’s SID never changes, regardless of what computer in the domain is being accessed. Active Directory removes the problem of different SIDs on each computer.