Active Directory: Glossary

This is a glossary of terms and acronyms used in Active Directory and related technologies:

2 |

A |

B |

C |

D |

E |

F |

G |

H |

I |

J |

K |

L |

M |

N |

O |

P |

Q |

R |

S |

T |

U |

V |

W |

X |

Y |

Z

 

2

2FA

Acronym for 2 Factor Authentication. A variant of Multi-Factor Authentication. See MFA.

 

A

AAD

Acronym for Azure Active Directory. It is the Identity as a service solution in Azure. Azure is the Microsoft cloud computing platform, and one of the services available is Active Directory.

AADJ

Acronym for Azure Active Directory Join. See Azure AD Join on Windows 10 devices.

ACE

Acronym for Access Control Entry. Individual entries in a security descriptor (called an access control list or ACL). Specifies permissions granted or denied to trustees for the resource to which the ACE applies.

ACL

Acronym for Access Control List. A collection of Access Control Entries (ACE's) that specify the security applied to a resource.

Active Directory

Microsoft's directory service database for Windows networks. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Recently renamed Active Directory Domain Services, or AD DS. Microsoft also has a product called Active Directory Lightweight Directory Services, or AD LDS (formerly called Active Dirctory Application Mode, or ADAM).

AD

Acronym for Active Directory. See Active Directory.

AD CS

Acronym for Active Directory Certificate Services. See Active Directory Certificate Services (AD CS) Overview.

AD DS

Acronym for Active Directory Domain Services. Microsoft's directory service product. See Active Directory Domain Services (AD DS) Overview.

AD FS

Acronym for Active Directory Federation Services. See Active Directory Federation Services (AD FS) Overview.

AD LDS

Acronym for Active Directory Lightweight Directory Services. This used to be called Active Directory Application Mode, or ADAM. A database for directory-enabled applications that do not need AD DS. See Active Directory Lightweight Directory Services Overview.

AD RMS

Acronym for Active Directory Rights Management Services. See Active Directory Rights Management Services Overview.

ADAC

Acronym for Active Directory Administrative Center. See Active Directory Administrative Center: Getting Started.

ADAL

Acronym for Azure AD Authentication Library. See Azure AD Authentication Library for .NET.

ADAM

Acronym for Active Directory Application Mode, now renamed Active Directory Lightweight Directory Services (AD LDS).

adfind

A command line tool developed by Joe Richard (DS-MVP) to query Active Directory. See AdFind.

ADLB

Acronym for Active Directory Load Balancing tool, Adlb.exe. Now obsolete, as the functionality is built into the Knowledge Consistency Checker (KCC) starting with Windows Server 2008 RODCs.

AdminSDHolder

Acronym for Admin Security Descriptor Holder. An object in the cn=System container of the domain. See AdminSDHolder, Protected Groups and SDPROP.

admod

A command line tool developed by Joe Richard (DS-MVP) to modify Active Directory. See AdMod.

ADMT

Acronym for Active Directory Migration Tool. Toolset to facilitate migration and restructuring tasks in an Active Directory Domain Services infrastructure. See ADMT Guide: Migrating and Restructuring Active Directory Domains.

ADO

Acronym for ActiveX Data Objects. ADSI can act as an OLE-DB provider that allows database queries of Active Directory using ADO. Active Directory searches using ADO are only allowed in the LDAP namespace. ADO can also be used to access Microsoft Access databases, SQL Server databases, and even text files.

adprep

Active Directory Preparation Tool. Active Directory command line tool to prepare a domain or forest for the introduction of new versions of Windows Server domain controllers. Upgrades the schema. See Running Adprep.exe.

ADSI

Acronym for Active Directory Service Interface. A library of routines that provide an interface to various directory namespaces, such as Active Directory, the Windows NT SAM account database, Novell bindery, Novell NDS, and Internet Information Server (IIS).

ADSIEdit

A Windows Support tool for browsing and editing objects in Active Directory. See ADSI Edit.

ADsPath

A string that specifies the provider and the path to an object in a directory. This string can be used to bind to the object in a script or program. In Active Directory, the provider can be either "LDAP://" or "WinNT://". If you use the LDAP provider, then what follows after the "LDAP://" moniker will be the Distinguished Name of the object. If you use the WinNT provider, the path to the object is in the form "Domain\Name", where "Domain" is the NetBIOS name of the domain (or local workstation) and "Name" is the Relative Distinguished Name (RDN) of the object.

ADUC

Acronym for Active Directory Users and Computers, the MMC snap-in used to manage objects in Active Directory. Besides users and computers, you can also use this tool to manage contacts, groups, containers, and Organizational Units.

ADWS

Acronym for Active Directory Web Services. A Windows service that provides a Web interface to Active Directory domains, Active Directory Lightweight Directory Services instances, and Active Directory Database Mounting Tool instances on a Windows Server 2008 R2 (or above) server. See What's New in AD DS: Active Directory Web Services.

AES

Acronym for Advanced Encryption Standard. A specification for the encryption of electronic data used by Kerberos. Supercedes the Data Encryption Standard (DES).

AGPM

Acronym for Microsoft Advanced Group Policy Management. Tool to manage Group Policy Objects (GPO). Part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance. See Overview Series: Advanced Group Policy Management.

ANR

Acronym for Ambiguous Name Resolution, an efficient search algorithm in Active Directory that allows you to specify complex LDAP syntax filters involving multiple naming-related attributes in a single clause. The attributes must be ANR enabled in the directory schema. See Active Directory: Ambiguous Name Resolution.

Attribute

Property or characteristic of an object in Active Directory. The attributes available for each class of object is defined in the schema. The Schema defines the syntax and properties of each attribute.

Authentication

The process by which a user, computer, or service gains permission to function in a computer environment. See Authentication.

Azure Arc

Feature to extend Azure management to on-premises, multi-cloud, and Edge. See Azure Arc overview.

 

↑ Back to top

B

Back Link

A DN (Distinguished Name) syntax attribute in Active Directory whose value is based on a Link Table and the value of a related forward link attribute. For example, the member attribute of group objects is the forward link, while the memberOf attribute is the related back link.

BDC

Acronym for Backup Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.

Bitlocker

BitLocker Drive Encryption is data protection feature. See BitLocker Drive Encryption Overview.

BYOK

Acronym for Bring Your Own Key.

 

↑ Back to top

C

Canonical Name

An object name in Active Directory in canonical form. Also, the value of the canonicalName attribute of the object. The canonical name of the object appears on the "Object" tab of the Active Directory Users and Computers (ADUC) mmc. If the distinguished name of an object is "cn=Jim Smith,ou=Sales,ou=West,dc=mydomain,dc=com", then the canonical name will be "mydomain.com/West/Sales/Jim Smith".

CIM

Acronym for Common Information Model. The repository in the WMI schema that stores class definitions that model WMI managed resources. See Common Information Model.

Class

Defines a distinct type of object. Each instance of the class is an object with the attributes specified in the Schema, but the attributes will generally have different values.

Client

A computer workstation, where users run applications. If the workstation is connected to a network, the users can take advantage of services provided by servers. Also, in client-server applications the client is the part of the application that runs on a client workstation. See Client (computing).

CN

Acronym for Common Name. Also the moniker for objects with a common name in their distinguished names, for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com".

Common Name

Name of the attribute with lDAPDisplayName cn, which is the naming attribute for objects of class user, contact, computer, group, and container. The Relative Distinguished Name (RDN) of these objects is the value of the cn attribute, also referred to as the common name of the object. The moniker "cn" is also used in the distinguished names of these objects (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com").

Configuration Container

The container in Active Directory that specifies the configuration of the forest. Specifies such things as partitions, sites, servers, display specifiers, services, physical locations, well-known security principals, and forest updates.

Constructed Attribute

More commonly called an operational attribute. An attribute in Active Directory that is calculated by a domain controller on request, rather than being stored in the directory service database.

Contact

A contact object in Active Directory contains the contact information about people who are associated with the organization but are not part of it, for example, contractors or suppliers. A contact object does not have a SID. It can be a member of a group, but cannot be granted access to network resources.

Container

An object in Active Directory that can contain other objects. The objects most commonly referred to as containers have a Common Name (the naming attribute is the cn attribute). These containers cannot have group policies applied to them. They can contain users, contacts, groups, computers, and other containers. Organizational units (the naming attribute is the ou attribute) are also containers. They can contain the same objects, plus other organizational units, and they can have group policies applied. In addition, computer objects in Active Directory can contain objects like NTFRS Subscriptions and Service Connection Point (SCP) Objects.

csvde

Command line utiltity to import objects into and export objects from Active Directory using comma delimited text files.

 

↑ Back to top

D

DACL

Acronym for Discretionary Access Control List. See DACLs and ACEs.

DC

Acronym for Domain Controller. Also the moniker for Domain Component, as used in distinguished names (for example "dc=mydomain,dc=com").

DC Locator

The process used by clients to discover domain controllers. See How Domain Controllers are Located in Windows.

dcdiag

Domain Controller Diagnostics Tool. Command line utility used to analyze and report on the state of domain controllers. See Dcdiag.

dcpromo

Utility used to promote a computer with a Windows Server operating system that is joined to a domain into a domain controller. Installs Active Directory Domain Services (AD DS). Also used to demote a domain controller by removing AD DS. Note that Server Manager is used instead of dcpromo to promote or demote a computer with Windows Server 2012 or higher.

DDNS

Acronym for Dynamic Domain Name System, or Dynamic DNS. See Dynamic DNS.

DES

Acronym for Data Encryption Standard. A specification for the encryption of electronic data used by Kerberos. Superceded by the Advanced Encryption Standard (AES). See Data Encryption Standard.

DFL

Acronym for Domain Functional Level. Specifies the versions of Windows Server supported as domain controllers in the domain, and the features of Active directory that are available.

DFS

Acronym for Distributed File System. Client and server services that allow servers to organize distributed file shares into a distributed file system. See Distributed File System (Microsoft).

DFSR

Acronym for Distributed File System Replication. See Distributed File System Replication.

DHCP

Acronym for Dynamic Host Configuration Protocol. Service that provides centralized control of Internet Protocol (IP) addresses. DHCP servers assign dynamic IP addresses and TCP/IP settings to other computers. See DHCP (Dynamic Host Configuration Protocol) Basics.

Directory Service

Repository of network operating system information to manage users and other resources in a networks. The Microsoft directory service product is Active Directory Domain Services (AD DS).

Distinguished Name

A string that uniquely identifies an object in Active Directory. Used by the LDAP provider to bind to the object. Sometimes abbreviated DN, this specifies the name of the object (the Relative Distinguished Name) in it's parent container, and the location of the object in the hierarchical structure of Active Directory. The DN of an object is a string of components (Relative Distinguished Name's) separated by commas (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com"). The distinguished name combined with the "LDAP://" moniker forms the ADsPath of the object.

DIT

Acronym for Directory Information Tree. The Active Directory database file on a Domain Controller is referred to as the DIT. The file name is ntds.dit

DN

Acronym for Distinguished Name. See Distinguished Name.

DNS

Acronym for Domain Name System. The service that resolves computer names into IP addresses. See Domain Name System.

DNS Host Name

The Domain Naming System host name of any computer in Active Directory is the name used by DNS. An example would be host.mycompany.mydomain.com, where "host" is the Relative Distinguished Name of the computer and "mycompany.mydomain.com" is the DNS name of the domain.

Domain

An X.500-based hierarchical database of containers and objects. Microsoft domains have a DNS domain name, a security service to authenticate and authorize access to resources, and policies that dictate functionality. Domains are boundaries for administration and replication.

Domain Controller

A server with Active Directory installed. A domain controller (DC) is authoritative for the domain to which the server is joined. It contains the Active Directory database for the domain namespace, plus the Configuration and Schema namespaces for the forest.

Domain Naming Master

The Domain Naming Master role holder is the domain controller that controls changes to the forest-wide namespace. One of the five Flexible Single Master Operator (FSMO) roles. The domain controller with this role can add, remove, rename, or move domains in the forest. It is also required to create application partitions. One domain controller in the forest must hold this role.

DSAStat

Command line utility to detect differences between naming contexts on domain controllers. See Dsastat Overview.

DsGetDcName

Function to retrieve the name of a domain controller in a specified domain. See DsGetDcName function.

dsquery

Command line utility used to query Active Directory. See Dsquery.

DSRM

Acronym for Directory Services Restore Mode. Used on Domain Controllers to take the instance of Active Directory on that computer offline, possibly for maintenance or troubleshooting. Requires a DSRM password.

 

↑ Back to top

E

Escape Character

The escape character in Active Directory is the backslash character, "\. Some characters in distinguished names, such as commas, must be escaped with this character.

ESE

Acronym for Extensible Storage Engine. The Jet-based ISAM data storage technology used in Active Directory and Exchange. Also called Jet Blue. Allows data storage and retrieval using indexed and sequential access. See Extensible Storage Engine.

Ethernet

Computer networking technologies for Local Area Networks (LANs). See Ethernet.

 

↑ Back to top

F

FAS

Acronym for Filtered Attribute Set, the subset of attributes that are not replicated to Read-Only Domain Controllers (RODC's).  See RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC.

FFL

Acronym for Forest Functional Level. Specifies the versions of Windows Server supported as domain controllers in the forest, and the features of Active directory that are available.

FGPP

Acronym for Fine-Grained Password Policy. A feature in Windows Server 2008 (and above) to define different password and account lockout policies for different sets of users in a domain. See AD DS: Fine-Grained Password Policies.

Fine-Grained Password Policy (FGPP). A feature in Windows Server 2008 (and above) to define different password and account lockout policies for different sets of users in a domain. See AD DS: Fine-Grained Password Policies.

Foreign Security Principal

An object that represent a security principal from a trusted domain external to the forest. These objects allow the foreign security principals to become members of groups within the domain. See Foreign Security Principals Container.

Forest

A collection of Active Directory trees that share a Configuration container and Schema and are connected through trusts. The forest acts as a security boundary for an organization and defines the scope of authority for administrators.

Forward Link

A DN (Distinguished Name) syntax attribute in Active Directory that is linked through a Link Table to a related back link attribute, also DN syntax. When the forward link is modified, the system automatically updates the link table for the back link attribute. For example, the member attribute of group objects is the forward link, while the memberOf attribute is the related back link.

FQDN

Acronym for Fully Qualified Domain Name. See Fully qualified domain name.

FRS

Acronym for File Replication Service. Service for distributing shared files and Group Policy Objects (GPO's). See File Replication Service.

FSMO

Acronym for Flexible Single Master Operator. These are roles that are assigned only to designated domain controllers, either one in each domain, or one in the forest. The five FSMO roles are:

• Schema Master (one for the forest)
• Domain Naming Master (one for the forest)
• PDC Emulator (one for each domain)
• RID Master (one for each domain)
• Infrastructure Master (one for each domain)

FSP

Acronym for Foreign Security Principal. Objects that represent security principals from trusted domains external to the forest, and allow the foreign security principals to become members of groups within the domain. See Foreign Security Principals Container.

Fully Qualified Domain Name

The Fully Qualified Domain Name (FQDN) of a computer is the host name (the NetBIOS name) of the computer, followed by a dot, followed by the DNS name of the domain. The value of the sAMAccountName of the computer should be the NetBIOS name with the "$" character appended at the end. If the distinguished name of the domain is "dc=mycompany,dc=mydomain,dc=com", then the DNS name of the domain will be "mycompany.mydomain.com". If a computer in this domain has host name "mycomputer", then the FQDN will be "mycomputer,mycompany.mydomain.com". The FQDN of other classes of objects, like users, will be the value of the sAMAccountName attribute, followed by a dot, followed by the DNS name of the domain. See Fully qualified domain name.

Functional Level

Specifies the versions of Windows Server supported as domain controllers in the domain or forest, and the features of Active directory that are available.

 

↑ Back to top

G

GC

Acronym for Global Catalog.

Global Catalog

A read-only catalog of all objects in a forest, which contains a subset of the attributes. The subset of attributes is called the partial attribute set (PAS). A domain controller can be designated a GC.

GP

Acronym for Group Policy. See Step-by-Step Guide to Understanding the Group Policy Feature Set.

GPMC

Acronym for Group Policy Management Console, the MMC used to manage group policy objects.

GPO

Acronym for Group Policy Object. See Group Policy Objects.

GPP

Acronym for Group Policy Preferences. See Group Policy Preferences Getting Started Guide.

gpresult

Command line utility to display the Resultant Set of Policy (RSoP) for a user or computer. See Gpresult.

gpupdate

Command line utility to update group policy settings. See Gpupdate.

Group

An object in Active Dirctory that can have members. Permissions can be granted to security groups (not distribution groups) to give all members access to resources. Members can be users, contacts, computers, or other groups.

Group Policy

Policies linked to Active Directory domains, organizational units, or groups, which are applied to the child objects within. Group Policies are defined in Group Policy Objects (GPO's). See Step-by-Step Guide to Understanding the Group Policy Feature Set.

Group Policy Preferences

See Group Policy Preferences Getting Started Guide.

GUID

Acronym for Globally Unique IDentifier. A 128-bit value that should uniquely identify an object. The value is usually displayed as 32 hexadecimal digits. Every object in Active Directory has an objectGUID attribute, which is the GUID of the object. See Globally unique identifier.

 

↑ Back to top

H

Host

A computer connected to a network. Also called a network node.

HYOK

Acronym for Hold Your Own Key.

 

↑ Back to top

I

IADs

Interfaces supported by ADSI. Exposes methods and properties of namespace objects. See IADs interface.

IAM

Acronym for Identity and Access Managment. See Identity and Access Management.

IAS

Acronym for Internet Authentication Server. Provides centralized authentication services in Windows Server operating systems. Replaced by Network Policy Server (NPS) in Windows Server 2008.

IDaaS

Acronym for IDentity as a Service. See Identity as a Service (IDaaS) -IGA.

IFM

Acronym for Install From Media, a feature for installing software or enabling features from media. See Installing AD DS from Media.

IGA

Acronym for Identity Governance and Administration. See Saviynt Express: Enterprise IGA for Azure, AzureAD.

IIS

Acronym for Internet Information Services. Also sometimes referred to as Internet Information Server. See Internet Information Services (IIS).

Implicit Identity

Default groups that are now called special identities. They do not have specific memberships, but can represent different users at different times, depending on the circumstances. Some of these groups include Anonymous Logon, Batch, and Authenticated User. See Special Identities.

Infrastructure Master

The Infrastructure Master role holder is the domain controller that maintains references, called phantoms, to objects in other domains. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator (FSMO) roles.

Inheritance

Inheritance is when an object or class is based on another object or class. See Class Inheritance in the Active Directory Schema.

Instance

A specific realization of something, such as a class of objects. You instantiate a class to create an instance of the object. You can then assign values to the attributes of the object. The attributes available are defined by the class in the schema. An instance of Active Directory is the installation of Active Directory on a specific domain controller.

IPD

Acronym for Infrastructure Planning and Design guide. Documents providing guidance on design of infrastructure for Microsoft products.

ISAM

Acronym for Indexed Sequential Access Method. A method of indexing data for fast retrieval. The Extensible Storage Engine (ESE) used in Active Directory is an implemention of ISAM. See ISAM.

ISTG

Acronym for InterSite Topology Generator. Automatically creates connection objects in Active Directory between domain controllers to enable replication. See The Role of the Inter-Site Topology Generator in Active Directory Replication.

 

↑ Back to top

J

Jet Database Engine

Jet is the acronym for Joint Engine Technology. Active Directory and Exchange use a Jet-based ISAM data storage technology called Extensible Storage Engine (ESE). See Microsoft Jet Database Engine.

 

↑ Back to top

K

KCC

Acronym for Knowledge Consistency Checker. A process in Active Directory that automatically generates and maintains connection objects that describe which naming contexts should be replicated between which  domain controllers and when. See KCC Replication Path Computation.

KCD

Acronym for Kerberos Constrained Delegation. See About Kerberos constrained delegation.

Kerberos

Primary authentication method used in Active Directory domains. Uses encrypted tickets to verify the identity of users and services. Older operating systems support DES encryption. Vista, Windows Server 2008, and newer operating systems support AES encryption.

 

↑ Back to top

L

LAPS

Acronym for Local Administrator Password Solution. A Microsoft password management solution for local administrator account passwords. Sets a different random password on every computer in a domain. The passwords are stored in a confidential attribute of the corresponding computer object in Active Directory. See Microsoft Security Advisory 3062591.

LDAP

Acronym for Lightweight Directory Access Protocol. A language based on the X.500 directory standard that allows clients and servers to communicate. The LDAP provider allows access to the hierarchical structure of Active Directory, or any LDAP compliant database. The LDAP syntax is a filter syntax used to query LDAP compliant databases. See Lightweight Directory Access Protocol.

LDAPDisplayName

In the Active Directory each attribute is represented by an object in the Schema Container, which itself has attributes. Each attribute object has a common name (the value of the cn attribute of the attribute object) and an LDAPDisplayName. When referring to an attribute programmatically, such as in a script or command line utility, you must use the LDAPDisplayName. This is the name used by LDAP clients, such as the ADSI provider. However, it is also used by the PowerShell cmdlets, since it uniquely identifies the attribute. In this way the attribute is similar to the sAMAccountName attribute of user, computer, or group objects in Active Directory.

LDAPS

Acronym for LDAP over SSL. See LDAP over SSL (LDAPS) Certificate.

LDIF

Acronym for LDAP Data Interchange Format. A standard plain text data interchange format. Represents directory content as records for update requests. Used by the ldifde command line utility. See LDAP Data Interchange Format.

ldifde

Command line utility to import objects into and export objects from Active Directory using ldif format text files. Can be used to create, modify, and delete Active Directory objects. See Ldifde.

LDP

Acronym for LDAP Directory Probe. A graphical user interface (GUI) based LDAP client utility used to search, browse, and update LDAP compliant directories, such as Active Directory. See Ldp.

Legacy Value

The value of a linked multi-valued attribute that was added to Active Directory when the Forest Functional Level was Windows 2000. Such values do not take advantage of Linked Value Replication. The repadmin tool reports these values as "LEGACY". See Remediate Active Directory Members that Don't Support LVR.

Lingering Objects

Lingering objects can occur if a domain controller does not replicate for an interval of time longer than the tombstone lifetime (TSL), and then reconnects to the replication topology. Objects that were deleted from Active Directory during this time can remain on the domain controller as lingering objects. See Information about lingering objects in a Windows Server Active Directory forest.

Link Table

Most attributes are stored directory in the Active Directory database. But linked attributes use a Link Table. The forward link is saved in the AD database, but the value of the corresponding back link is retrieved using the entry in the link table. See How the Data Store Works.

Linked Attribute

Linked attributes are pairs of attributes. The forward link is one you can update. The back link is a related attribute that is automatically updated by the system when the forward link is updated. Only the forward link is actually saved in Active Directory. A link table determines the value of the back link. Both attributes must be DN (Distinguished Name) syntax. See How the Data Store Works.

Linked Value Replication

Linked value replication (LVR) is how linked multi-valued attributes replicate when they are updated. Instead of the entire attribute, only the individual updated values in the attribute are replicated. Requires Windows Server 2003 Interim mode or Windows Server 2003 Forest Functional Level or higher. When a non-linked multi-valued attribute is updated, the entire attribute must be replicated.

 

↑ Back to top

M

Mandatory Attribute

An attribute defined in the schema as mandatory for a class of objects. Every instance of the class of object must have a value assigned to these attributes.

Member Server

A computer running a Windows Server operating system (a server) that is a member of an Active Directory domain, but is not a domain controller.

Metadata

Metadata is data about data. For example, replication metadata is data about replication events, such as the originating source, the USN number, and the date and time of the replication. See Metadata.

Method

Function or procedure implemented by code. See Method (computer programming).

MFA

Acronym for Multi-Factor Authentication. Authentication that requires more than one verification method. Adds a second layer of security to logons. The verification methods can include: a password, biometrics, challenge response question, trusted device characteristics, or a pin communicated to a trusted email account or mobile device. A related concept is Two-Factor Authentication, or 2FA. See Multi-factor authentication.

MIM

Acronym for Microsoft Identity Manager. The latest version of Microsoft’s Identity and Access management (IAM) product suite. See Microsoft Identity Manager.

Mixed Mode

A domain that supports Windows NT domain controllers. The domain does not support nested groups. The alternative is Native Mode. The distinction only applies to Windows 2000 Server Domain Functional Level (DFL).

MMC

Acronym for Microsoft Management Console. An extensible service for management applications. Provides a user interface allowing addition of snap-ins to manage services in a GUI console.

MSA

Acronym for Managed Service Account. See Introducing Managed Service Accounts.

MSAL

Acronym for MicroSoft Authentication Library. More commonly referred to as the Azure Active Directory Authentication Library. See ADAL.

MSODS

Acronym for MicroSoft Online Directory Service.

Multi-Valued Attribute

An Active Directory attribute that can have more than one value. Most attributes are single-valued. They can have only one value (or no value). Multi-valued attributes can have no value, one value, or more than one. For example, the "member" attribute of a group object is a collection of the distinguished names of all objects that are direct members of the group.

 

↑ Back to top

N

Namespace

A container for a set of identifiers or names. A namespace groups names by functionality. The same object can be represented in more than one namespace, each with different naming conventions. For example, an Active Directory object can be represented in WinNT, a flat namespace, or in LDAP, a hierarchical namespace. A .NET namespace would be system.DirectoryServices.ActiveDirectory.

Naming Context

A contiguous sub-tree of the directory that is a unit of replication. In Active Directory each domain controller has at least three Naming Contexts (also called NC replicas): The Schema NC, the Configuration NC, and the domain naming context.

NameTranslate

NameTranslate refers to the IADsNameTranslate interface, which can be used to convert the names of Active Directory objects from one format to another. See NameTranslate FAQ.

Native Mode

A domain that does not support Windows NT domain controllers. The domain also supports nested groups. The alternative is Mixed Mode. The distinction only applies to Windows 2000 Server Domain Functional Level (DFL).

nbstat

Command line utility to report NetBIOS over TCP/IP statistics. See Nbtstat.

NBT

Acronym for NetBIOS over TCP/IP, sometimes also called NetBT. A networking protocol that allows legacy applications that rely on the NetBIOS API to work in TCP/IP networks. See NetBIOS over TCP/IP.

NC

Acronym for Naming Context. A partition (namespace) in Active Directory. Examples include the Schema container, Configuration container, the Domain Naming context for each domain, and any application partitions. See Naming Contexts and Directory Partitions.

Nested Group

A group object in Active Directory that is a member of another group.

.NET

The .NET Framework is a programming model designed to replace the Win32 and COM APIs. The major components are the Common Language Runtime (CLR) and the .NET Framework class libraries.

NetBIOS

Acronym for Network Basic Input/Output System. Service allowing applications on separate computers to communicate over a network. Uses NetBIOS over TCP/IP (NBT) protocol. The NetBIOS name of a computer is generally the first 15 characters of the host name, followed by the "$" character. NetBIOS name to IP address resolution is provided by the WINS service on a WINS server.

NetBT

Acronym for NetBIOS over TCP/IP, also called NBT. A networking protocol that allows legacy applications that rely on the NetBIOS API to work in TCP/IP networks. See NetBIOS over TCP/IP.

netdiag

Command line utility to diagnose network and connectivity problems. Not supported after Windows Server 2003. See Netdiag.

netdom

Command line utility to manage Active Directory domains and trusts. See Netdom.

NetLogon

A service that verifies NTLM logon requests. It registers, authenticates, and locates domain controllers. Also, the Netlogon share stores logon scripts and possibly other files. See NetLogon.

Netstat

Acronym for Network statistics. Command line utility to display information on network connections. See Netstat.

nltest

Command line utility to perform network administration tasks. See Nltest.

NOS

Acronym for Network Operating System. An operating system installed on a server that allows clients to communicate and share resources on the server. See Network operating system.

NPS

Acronym for Network Policy Server. Microsoft's implementation of Remote Authentication Dial-In User Service (RADIUS). Originally the Internet Authenication Server (IAS) role service (before Windows Server 2008). See Network Policy Server.

nslookup

Command line utility to diagnose Domain Name Service (DNS) infrastructure problems. See Using NSlookup.exe.

NT

Acronym for Windows NT, a family of Microsoft operating systems. NT originally was the acronym for New Technology. See Windows NT.

ntdsutil

Command line utility to manage Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). See Ntdsutil.

NTFRS

Acronym for NT File Replication Service. Service for distributing shared files and Group Policy Objects (GPO's). See File Replication Service.

NTP

Acronym for Network Time Protocol. Protocol for time synchronization between computer systems. See Network Time Protocol.

 

↑ Back to top

O

Object

An entry in the directory of a specific class. Objects in Active Directory have attributes appropriate for their class.

OID

Acronym for Object IDentifier. For example, each attribute in the Active Directory schema has a unique X.500 OID (the value of the attributeID attribute of the attribute). All OID values created by Microsoft begin with 1.2.840.113556. OID values are also used to identify attribute syntaxes and filter matching rules. See Object identifier.

OKTA

A third party identity provider that implements single sign-on using the WS Federation/WS-Trust identity standard. See Azure Active Directory federation compatibility list: third-party identity providers that can be used to implement single sign-on.

oldcmp

A command line tool developed by Joe Richard (DS-MVP) to query Active Directory for unused computer or user accounts. Can be also clean up the accounts. See OldCmp.

Operational Attribute

An attribute in Active Directory that is calculated by a domain controller on request, rather than being stored in the directory service database. Also called a constructed attribute.

Optional Attribute

An attribute defined in the schema as optional for a class of objects. Any instance of the class of object can have a value assigned to any of these attributes, but they are not required to have a value.

Organizational Unit

A type of container in an Active Directory domain. It can contain objects like users, computers, contacts, groups, or other OU's or containers. OU's can also have group policies applied.

OTP

Acronym for One Time Password. See Strong Authentication with One-Time Passwords in Windows 7 and Windows Server 2008 R2.

OU

Acronym for Organizational Unit. Also the naming attribute for organizational unit objects in Active Directory, and the moniker used in their distinguished names (for example "ou=West,dc=mydomain,dc=com").

 

↑ Back to top

P

Partition

A subdivision of a database. In Active Directory, each naming context is a partition. Also called a namespace.

PAS

Acronym for Partial Attribute Set. The subset of attributes of the objects replicated to the Global Catalog. See Active Directory: Attributes in the Partial Attribute Set.

PCNS

Acronym for Password Change Notification Service. Enables synchronization of passwords between Active Directory and other identity systems. See Password Change Notification Service.

PDC

Acronym for Primary Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.

PDCe

Acronym for PDC emulator or Primary Domain Controller emulator. See PDC Emulator.

PDC Emulator

The PDC Emulator role holder acts as the Windows NT Primary Domain Controller (PDC) for backward compatibility. It also is used to forward password changes immediately to other domain controllers and serves as the primary time source for the domain. The PDC Emulator is also targeted by most Group Policy tools. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator roles (FSMO).

PowerShell

Scripting language and command line shell based on C# and the Microsoft .NET Framework. PowerShell statements can be entered one at a time in the PowerShell command line shell, or in a script with the statements saved in a file with the .ps1 extension.

Pre-Windows 2000 Name

The value of the sAMAccountName attribute of user and group objects in Active Directory. For computer objects, it is the NetBIOS name of the machine (the sAMAccountName is the NetBIOS name with the "$" character appended to the end). For user objects in the Active Directory Users and Computers mmc, the field is called the "pre-Windows 2000 logon name".

Primary Group

Each user and computer object in Active Directory has one group designated as their "primary" group. By default the primary group for users is the "Domain Users" group. The default primary group for computer objects is the "Domain Computers" group. Primary group membership is not included in the memberOf attribute of the user or computer, or in the member attribute of the group.

Property

Fixed values assigned to objects. In Active Directory, the properties of objects are often referred to as attributes. Active Directory attributes themselves have properties as specified in the Schema.

Property Method

A function that displays and/or assigns values to properties of an Active Directory object. For example, the AccountExpirationDate property method exposed by the IADsUser interface displays or assigns values corresponding to a date to the accountExpires attribute of a user object.

Provider

Library of interfaces including methods and properties that expose directory namespaces. Active Directory is supported by the LDAP and WinNT providers.

PSO

Acronym for Password Setting Object. Objects in the System container of Active Directory that implement Fine-Grained Password Policies (FGPP). See AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide.

 

↑ Back to top

Q

 

↑ Back to top

R

Remote Desktop Agent

Service for installation of Windows Azure Guest Agent to enable a virtual machine. See Troubleshooting Windows Azure Guest Agent.

Remote Desktop Web

Client feature to let users access Remote Desktop infrastructure through a web browser. See Set up the Remote Desktop web client for your users.

RDN

Acronym for Relative Distinguished Name. The name of an object in Active Directory relative to it's location in the hierarchical structure of Active Directory. The Relative Distinguished Name will be the lowest level component of the Distinguished Name (DN). The RDN must be unique in the parent container or Organizational Unit (OU), while the Distinguished Name will be unique in the forest.

Recycle Bin

A container for retaining deleted objects temporarily. The deleted objects can be restored until the recycle bin is emptied, after which the objects are permanently deleted. See Active Directory Recycle Bin Step-by-Step Guide.

Relative Distinguished Name

The name of an object in Active Directory relative to it's location in the hierarchical structure of Active Directory. The Relative Distinguished Name, abbreviated RDN, will be the lowest level component of the Distinguished Name (DN). The RDN must be unique in the parent container or Organizational Unit (OU), while the Distinguished Name will be unique in the forest.

repadmin

Command line utility to diagnose Active Directory replication between domain controllers. See Repadmin.

Replica

A copy of an Active Directory namespace (or naming context) on a domain controller that replicates with other domain controllers.

Replication

The process by which domain controllers keep their Active Directory databases synchronized. See How Active Directory Replication Works.

RID

Acronym for Relative IDentifier. All security principals (users, computers, and groups) in Active Directory have a Security ID (SID). SID values include several components, including the RID. The SID without the RID is the same for all objects in a domain. The RID value uniquely identifies the object in the domain.

RID Master

The RID Master role holder is the domain controller responsible for assigning pools of RID's to all domain controllers in the domain. A RID is required whenever a security principal is created in Active Directory. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator roles (FSMO).

RODC

Acronym for Read-Only Domain Controller. Cannot be used to update objects in Active Directory. See AD DS: Read-Only Domain Controllers.

RootDSE

Acronym for Root Directory Service Entry (or Root DS Entry), an object required of all LDAP compliant directories (such as Active Directory). Exposes a set of properties that are characteristic of the directory. See RootDSE.

RSAT

Acronym for Remote Server Administration Tools. See Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki).

RSO

Acronym for ReplicateSingleObject. A Read-Only Domain Controller (RODC) can request replication of a specifc object with functionality known as a Replicate-Single-Object operation. See replicateSingleObject.

RSoP

Acronym for Resultant Set of Policy. See Resultant Set of Policy (RSoP).

RUS

Acronym for Recipient Update Service. See Recipient Update Service.

RWDC

Acronym for Read-Write Domain Controller. A writeable domain controller, meaning it can be used to update objects in Active Directory. All domain controllers are writeable, unless they are a Read-Only Domain Controller (RODC).

 

↑ Back to top

S

SACL

Acronym for System Access Control List. See Access Control Lists.

SAM

Acronym for Security Account Manager, the Windows NT account database format. A Windows NT SAM account database exposes a flat namespace (with no hierarchy). See Security Accounts Manager.

sAMAccountName

The logon name used to support clients and servers running earlier versions of Windows. Also called the "Pre-Windows 2000 logon name". See SAM-Account-Name attribute.

SAML

Acronym for Security Assertion Markup Language. An XML based standard for exchanging authentication and authorization data between an identity provider and a service or application. See Security Assertion Markup Language.

SASL

Acronym for Simple Authentication and Security Layer. A framework for authentication and data security on the Internet. See Simple Authentication and Security Layer.

Schema

Defines the structure of the data in a database. In Active Directory, the Schema container defines the object classes and the attributes that apply to each class in Active Directory.

Schema Container

The container within the Configuration container with objects that define the classes in Active Directory and the attributes that apply to the classes.

Schema Master

The Schema Master role holder is the domain controller that can make changes to the Schema. One domain controller in the forest must hold this role. One of the five Flexible Single Master Operator roles (FSMO).

SCP

Acronym for Service Connection Point object. An object that represents one or more instances of a service and is used to connect to the service. These are objects in Active Directory usually published under the computer object where the corresponding service is installed. Used to maintain information about the service. See Publishing with Service Connection Points.

SDPROP

Acronym for Security Descriptor Propagator. See AdminSDHolder, Protected Groups and SDPROP.

SDS

Acronym for System.DirectoryServices namespace. The primary namespace used for code that targets Active Directory in the .NET Framework. See System.DirectoryServices Namespace.

Security Principal

An object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE).

Server

A computer with a server operating system that can share resources in a network. A Domain Controller is one type of server.

SID

Acronym for Security IDentifier. All objects in Active Directory that are security principals (users, computers, groups) have the objectSID attribute, which is a SID. The SID uniquely identifies the object for security permissions. The SID value includes several components, including a RID (Relative ID). The SID without the RID is the same for all objects in the domain. Each security principal object in an Active Directory domain has its own unique RID value.

Site

An Active Directory site defines the boundaries of high-speed connectivity for optimal replication and authentication. Sites are defined in the Configuration container of Active Directory.

Site Link

An object in Active Directory that defines the connection between sites, allowing them to replicate with each other.

SNTP

Acronym for Simple Network Time Protocol. A less complex implementation of NTP. See SNTP.

SOA

Acronym for Start Of Authority. Records created by Read-Only Domain Controllers for read-only DNS zones. Also acronym for Service Oriented Architecture. Software architecture where discrete pieces of software provide application functionality as services to other applications. See Service-oriented architecture.

Special Identity

Special identities (sometime call implicit identities) are default groups that do not have specific memberships, but can represent different users at different times, depending on the circumstances. Some of these groups include Anonymous Logon, Batch, and Authenticated User. See Special Identities.

SPN

Acronym for Service Principal Name. The name by which a client uniquely identifies an instance of a service. Each instance of a service must have its own SPN, but a given service instance can have multiple SPN's. See Service Principal Names.

SRV

Service Records. See SRV record.

SSL

Acronym for Secure Sockets Layer. Predecessor to Transport Layer Security (TLS). See Transport Layer Security.

SSO

Acronym for Single Sign On. A Property of access control of multiple related but independent software systems that allows users to logon once and gain access to all systems without being prompted to logon again. See Single sign-on.

Stand-alone Server

A computer running a Windows Server operating system (a server) that is not a member of an Active Directory domain.

Subnet

A portion of a network defined by a subnet mask applied to the IP addresses of the components. Subnets are defined in the Configuration container of Active Directory.

Sysvol

A collection of folders and reparse points in the file system that exists on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain. See Introduction to Administering SYSVOL.

 

↑ Back to top

T

TGS

Acronym for Ticket Granting Service. See Kerberos (protocol).

TGT

Acronym for Ticket Granting Ticket. Encrypted file granting access for a user to data protected by a Key Distribution Center (KDC). Contains session key, expiration date, and user IP Address. See Ticket-Granting Tickets.

TLS

Acronym for Transport Layer Security. Successor to Secure Sockets Layer (SSL). See Transport Layer Security.

Tombstone

Deleted objects in the "Deleted Objects" container are referred to as tombstones. When an object is deleted from Active Directory it, with most of its attributes, is moved to the "Deleted Objects" container. Objects remain in this container, where they can be reanimated, for the tombstone period after which they are permanently deleted.

Tree

A collection of Active Directory hierarchical domains in a contiguous namespace.

Trust

A relationship between domains that allows access by objects in one domain to resources in another.

Trustee

The identity of the object to which an Access Control Entry applies.

TSL

Acronym for Tombstone Lifetime. The number of days before a deleted object is removed from the directory services. See Tombstone-Lifetime attribute.

 

↑ Back to top

U

UPN

Acronym for User Principal Name, or the userPrincipalName attribute. See User-Principal-Name attribute.

USN

Acronym for Update Sequence Number. Used in Active Directory replication. A counter on each domain controller used to determine what changes should be replicated. See Tracking Updates.

UTDV

Acronym for Up-To-Datedness Vector. See Tracking Updates.

 

↑ Back to top

V

VBScript

Visual Basic Script Edition, a subset of the classic Visual Basic language. Programs written in VBScript are saved in files with the .vbs extension. VBScript programs can be run with either of two host programs, cscript.exe or wscript.exe.

VLV

Acronym for Virtual List View. Searching capability allowing display of results without returning every entry. See Virtual List VIew (VLV) and Active Directory - What's it Good For?

 

↑ Back to top

W

W32Time

Service that synchronizes the time on all computers in the forest.

WAAD

Acronym for Windows Azure Active Directory. Also known as Azure Active Directory (AAD). Active Directory Domain Services in the Windows Azure cloud. Windows Azure is the Microsoft cloud computing platform, and one of the services available is Active Directory.

WinNT

Windows NT namespace provider, supporting the Windows NT SAM account database. The WinNT provider can also be used to access Active Directory, but it exposes it as a flat namespace.

WINS

Acronym for Windows Internet Naming Service. Resolves computer NetBIOS names into IP Addresses. See Windows Internet Name Service.

WMI

Acronym for Windows Management Instrumentation. WMI is management technology allowing scripts and programs to monitor and control managed resources throughout the network. Resources include hard drives, file systems, operating system settings, processes, services, shares, registry settings, networking components, event logs, users, and groups. See Windows Management Instrumentation.

Workstation

A computer with a non-server operating system used by users, as opposed to a server. A workstation can be joined to a domain.

WPAD

Acronym for Web Proxy AutoDiscovery. A service provided via either DHCP or DNS to help clients automatically find a proxy server. See Web Proxy Autodiscovery Protocol.

WQL

Acronym for WMI Query Language, as subset of ANSI Structured Query Language (SQL) used to query WMI namespaces. See WQL.

WSAD

Acronym for Windows Server Active Directory. On premises Active Directory, as apposed to the cloud based Azure Active Directory (AAD)

WSH

Acronym for Windows Script Host, an ActiveX scripting host providing an environment for the execution of scripts using one of several scripting engines or languages, such as VBScript or JScript.

 

↑ Back to top

X

X.500

Computer networking standards for directory services. Developed by ITU-T (International Telecommunications Union, Telecommunications sector), formerly CCITT (International Telegraph and Telephone Consultative Committee). See X.500.

 

↑ Back to top

Y

 

↑ Back to top

Z

Zero Trust

A security model that assumes every request could originate from an uncontrolled network and must be verified. See Zero Trust Guidance Center.

Zone

A collection of contiguous hierarchical domain names. Portions of the DNS namespace delegated to one or more name servers.

 

↑ Back to top

See Also

• Wiki: Portal of TechNet Wiki Glossaries
• Wiki: Cross-Linking
• Glossary of Tech Acronyms
• Wiki: Active Directory Domain Services (AD DS) Portal
• Wiki: How to Add Entries to a TechNet Wiki Glossary

 

↑ Back to top