ACTIVE DIRECTORY
If you work in any mid-to-large company that uses Windows computers, Active Directory is running in the background every single day. It's one of those things that most people never think about — but IT teams and cybersecurity professionals think about it constantly.
This post breaks down everything you need to know about Active Directory, from what it actually is to how it scales across massive global organisations.
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft. At its core, it is a centralised system that stores and manages information about every resource on a network — users, computers, printers, shared folders, and more.
Before AD existed, system administrators had to configure each machine individually. If you had 500 computers in your company, you had to go to each one and set things up manually. Active Directory changed that completely by giving IT teams a single place to manage everything.
The server that hosts and runs Active Directory is called a Domain Controller (DC). Every Windows-based corporate network has at least one, and larger organisations often have several for reliability and performance. The Domain Controller is the most critical server in the entire network — and also the most sensitive from a security standpoint.
All the computers, users, and devices that are managed by Active Directory together form what's called a Windows Domain.
What does Active Directory actually store?
Active Directory works by storing "objects." An object is simply any entity that exists in your network. There are several types:
1. Users
User accounts are the most common object in Active Directory. Every employee in a company has one. When you log in at work, Active Directory checks your credentials and decides whether to let you in.
But users aren't only for real people. Active Directory also supports service accounts — special user accounts created for software rather than humans. Applications like databases, web servers, and backup tools all need to "log in" to the system to do their work. These service accounts are given only the minimum permissions needed to run that specific software — nothing more. This is a key security principle called least privilege.
2. Machines (Computers)
Every computer that joins a Windows domain gets its own machine account in Active Directory. Just like a user account represents a person, a machine account represents a device. These accounts allow the domain to track, manage, and apply policies to each computer.
Machine accounts are easy to identify — they always end with a dollar sign. For example, a computer named LAPTOP01 would have a machine account called LAPTOP01$.
Machine account passwords are automatically rotated and are extremely long (120 random characters), so they're practically impossible to guess.
3. Security Groups
Managing permissions for hundreds of individual users would be a mess. That's why Active Directory uses Security Groups.
A Security Group is a collection of users (or computers) that share the same access rights. Instead of giving each person individual access to a shared folder, you put them all in a group and give the group access. Anyone added to that group instantly inherits the permissions.
A single user can be a member of multiple security groups at the same time. Some of the most important built-in groups in Active Directory include:
- Domain Admins — Full administrative control over the entire domain. This is the most powerful group and access to it should be tightly controlled. - Server Operators — Can manage Domain Controllers but cannot change admin group memberships. - Backup Operators — Can access any file on any computer, regardless of permissions, specifically for backup purposes. - Account Operators — Can create and modify user accounts in the domain. - Domain Users — Automatically includes every user account in the domain. - Domain Computers — Automatically includes every computer joined to the domain. - Domain Controllers — Contains all Domain Controllers in the network.
4. Organisational Units (OUs)
Organisational Units are like folders inside Active Directory. They let you group users and computers by department, location, role, or any other category that makes sense for your organisation.
For example, a typical company might have OUs like: - Sales - Marketing - IT - Management - Finance
OUs exist primarily so that different policies can be applied to different groups. The Sales team might have restrictions that the IT team doesn't need. The Finance team might have stricter security settings. OUs make this possible.
One important rule: a user can only belong to one OU at a time.
Security Groups vs Organisational Units — what's the difference?
This is one of the most commonly confused concepts in Active Directory, so let's make it crystal clear.
Security Groups are about access. They answer the question: "Who is allowed to use this resource?" If you want certain people to access a shared drive or a printer, you put them in a security group and give that group permission.
Organisational Units are about policy. They answer the question: "What settings and rules apply to these users or computers?" OUs are used to organise objects so that different configurations can be pushed to different departments.
Think of it like this: Security Groups are keys to different rooms. OUs are the floors of a building — everyone on the same floor follows the same house rules.
A user can be in multiple security groups (holding many keys), but they can only be on one floor (one OU) at a time.
Group Policy — the rulebook of the domain
One of the most powerful features of Active Directory is Group Policy. Group Policy Objects (GPOs) are collections of settings that IT administrators create and push out to users and computers across the network.
GPOs can control an enormous range of things, including:
- Enforcing a minimum password length and complexity - Automatically locking screens after a period of inactivity - Blocking access to the Control Panel for non-IT staff - Preventing users from installing software - Setting desktop wallpapers and browser homepages - Configuring Windows Firewall rules - Mapping shared network drives automatically at login
GPOs are linked to OUs, which means different departments can have completely different policies applied to them. The IT department might have full access to system settings, while the Sales department is locked down with minimal control over their machines.
GPOs are stored and distributed through a special shared folder on the Domain Controller called SYSVOL. All computers in the domain regularly sync with this share to pick up any new or updated policies.
Delegation — sharing admin responsibilities
Active Directory also allows administrators to delegate specific tasks to other users without giving them full admin access. This is called delegation.
A common example: the IT helpdesk team needs to reset user passwords, but you don't want to give them full Domain Admin privileges. You can delegate just the password reset permission over a specific OU — say, the Sales OU — to the helpdesk team. They can reset passwords for Sales users, but nothing else.
This makes administration more scalable and secure, because you're following the principle of least privilege — giving people only the access they actually need.
Trees and Forests — scaling beyond one domain
For smaller organisations, a single domain is perfectly fine. But as companies grow — especially internationally — they often need more than one domain.
What is a Tree?
A tree in Active Directory is a collection of domains that share the same root namespace. For example, if your company's main domain is company.local, you might add uk.company.local for your UK office and us.company.local for your US office. Together, these form a tree.
Each domain in the tree has its own Domain Controller and manages its own users and computers independently. But they're all part of the same family, sharing the same naming structure.
This setup is ideal when different regions or divisions need their own IT teams and their own policies, but still need to be part of the same organisation's network.
What is a Forest?
A forest is a collection of one or more trees. If two separate companies merge, each might bring its own Active Directory tree with a completely different namespace. Joining them together creates a forest.
Each tree keeps its own structure and identity, but they're now connected into a single network. The entire forest is managed at the highest level by a special group called Enterprise Admins, who have administrative privileges across every domain in the forest.
Trust Relationships — connecting domains
When two domains need to interact — for example, allowing a user from the US domain to access a file server in the UK domain — they need a trust relationship.
A trust relationship is essentially an agreement between two domains: "We recognise each other's users as legitimate."
There are two types:
One-way trust: Domain A trusts Domain B. This means users from Domain B can potentially be given access to resources in Domain A — but users from Domain A cannot access Domain B's resources. The direction of trust is opposite to the direction of access.
Two-way trust: Both domains trust each other. Users from either domain can be granted access to resources on the other side. This is set up automatically when domains join the same tree or forest.
One crucial point: a trust relationship does not automatically grant access to anything. It simply makes it possible for administrators to grant access. You still have to explicitly decide who gets in and who doesn't.
Why Active Directory matters for cybersecurity
Understanding Active Directory isn't just useful for IT administrators — it's essential knowledge for anyone in cybersecurity.
The Domain Controller is the crown jewel of any Windows network. It stores hashed passwords for every single user account in the domain. If an attacker manages to compromise the Domain Controller, they effectively have control over the entire organisation — every user, every computer, every resource.
This is why attacks targeting Active Directory — like Pass-the-Hash, Kerberoasting, and DCSync — are so common and so devastating. Cybersecurity professionals spend a significant amount of time hardening AD configurations, monitoring for unusual activity, and limiting who has privileged access.
Some key security best practices in AD environments include: - Minimising the number of Domain Admin accounts - Regularly auditing group memberships and permissions - Enforcing strong password and account lockout policies via GPOs - Monitoring for unusual login activity or privilege escalation - Keeping Domain Controllers patched and up to date
Wrapping up
Active Directory is the foundation of enterprise IT in the Windows world. It handles identity, access, policy, and structure — all from a central point. Here's a quick recap of everything we covered:
- Active Directory is a centralised directory service that manages users, computers, and resources across a network. - The Domain Controller is the server that runs AD and is the most critical machine in the network. - Users can represent real people or software services. Machines get their own accounts too. - Security Groups control who can access what. OUs control what policies apply to whom. - Group Policy lets admins push rules and settings to users and computers across the domain. - Delegation allows admins to share specific tasks without giving out full admin access. - Trees are collections of related domains. Forests are collections of trees, often from different organisations. - Trust relationships allow users from one domain to be granted access to resources in another. - From a security standpoint, AD is both the most powerful tool in IT — and one of the most targeted systems by attackers.
Whether you're studying for a certification, starting out in IT, or getting into cybersecurity — understanding Active Directory gives you a solid foundation for almost everything else that follows.
— -