This is a glossary of terms and acronyms used in Active Directory and related technologies:
Acronym for 2 Factor Authentication. A variant of Multi-Factor Authentication. See
Acronym for Azure Active Directory. Active Directory Domain Services in the Windows Azure cloud. Windows Azure is the Microsoft cloud computing platform, and one of the services available is Active Directory.
Acronym for Azure Active Directory
Azure AD Join on Windows 10 devices.
Acronym for Access Control Entry. Individual entries in a security descriptor (called an access control list or
ACL). Specifies permissions granted or denied to trustees for the resource to which the ACE applies.
Acronym for Access Control List. A collection of Access Control Entries (ACE's) that specify the security applied to a resource.
Microsoft's directory service database for Windows networks. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Recently renamed Active Directory Domain Services,
or AD DS. Microsoft also has a product called Active Directory Lightweight Directory Services, or AD LDS (formerly called Active Dirctory Application Mode, or ADAM).
Acronym for Active Directory. See
Acronym for Active Directory Certificate
Services. See Active Directory Certificate Services (AD CS) Overview.
Acronym for Active Directory Domain
Services. Microsoft's directory service product. See
Active Directory Domain Services (AD DS) Overview.
Acronym for Active Directory Federation
Active Directory Federation Services (AD FS) Overview.
Acronym for Active Directory Lightweight
Directory Services. This used to be called Active Directory Application Mode, or ADAM. A database for directory-enabled applications that do not need AD DS. See
Active Directory Lightweight Directory Services Overview.
Acronym for Active Directory Rights
Management Services. See
Active Directory Rights Management Services Overview.
Acronym for Active Directory Administrative
Active Directory Administrative Center: Getting Started.
Acronym for Azure AD Authentication
Azure AD Authentication Library for .NET.
Acronym for Active Directory Application
Mode, now renamed Active Directory Lightweight Directory Services (AD LDS).
A command line tool developed by Joe Richard (DS-MVP) to query Active Directory. See
Acronym for Admin Security Descriptor
Holder. An object in the cn=System container of the domain. See
AdminSDHolder, Protected Groups and SDPROP.
A command line tool developed by Joe Richard (DS-MVP) to modify Active Directory. See
Acronym for Active Directory Migration
Tool. Toolset to facilitate migration and restructuring tasks in an Active Directory Domain Services infrastructure. See
ADMT Guide: Migrating and Restructuring Active Directory Domains.
Acronym for ActiveX Data Objects. ADSI can act as an OLE-DB
provider that allows database queries of Active Directory using ADO. Active Directory searches using ADO are only allowed in the LDAP namespace. ADO can also be used to access Microsoft Access databases, SQL
Server databases, and even text files.
Active Directory Preparation Tool. Active Directory command line tool to prepare a domain or forest for the introduction of new versions of Windows Server domain controllers. Upgrades the schema. See
Acronym for Active Directory Service
Interface. A library of routines that provide an interface to various directory namespaces, such as Active Directory, the Windows NT SAM account database, Novell bindery, Novell NDS, and Internet Information Server (IIS).
A Windows Support tool for browsing and editing objects in Active Directory. See
A string that specifies the provider and the path to an object in a directory. This string can be used to bind to the object in a script or program. In Active Directory, the provider can be either "LDAP://" or "WinNT://". If you use the LDAP
provider, then what follows after the "LDAP://" moniker will be the Distinguished Name of the object. If you use the WinNT provider, the path to the object is in the form "Domain\Name", where "Domain"
is the NetBIOS name of the domain (or local workstation) and "Name" is the Relative Distinguished Name (RDN) of the object.
Acronym for Active Directory Users and
Computers, the MMC snap-in used to manage objects in Active Directory. Besides users and computers, you can also use this tool to manage contacts, groups, containers, and Organizational Units.
Acronym for Active Directory Web
Services. A Windows service that provides a Web interface to Active Directory
domains, Active Directory Lightweight Directory Services instances, and Active Directory Database Mounting Tool instances on a Windows Server 2008 R2 (or above) server. See
What's New in AD DS: Active Directory Web Services.
Acronym for Advanced Encryption Standard. A specification for the encryption of electronic data used by
Kerberos. Supercedes the Data Encryption Standard (DES).
Acronym for Microsoft Advanced Group
Policy Management. Tool to manage Group Policy Objects (GPO). Part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance. See
Overview Series: Advanced Group Policy Management.
Acronym for Ambiguous Name Resolution, an efficient search algorithm in Active Directory that allows you to specify complex LDAP syntax filters involving multiple naming-related attributes
in a single clause. The attributes must be ANR enabled in the directory
Active Directory: Ambiguous Name Resolution.
Property or characteristic of an object in Active Directory. The attributes available for each class of object is defined in the
schema. The Schema defines the syntax and properties of each attribute.
The process by which a user, computer, or service gains permission to function in a computer environment. See
↑ Back to top
A DN (Distinguished Name) syntax attribute in Active Directory whose value is based on a Link Table and the value of a related forward link attribute. For example, the member
attribute of group objects is the forward link, while the memberOf attribute is the related back link.
Acronym for Backup Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no
longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.
BitLocker Drive Encryption is data protection feature. See
BitLocker Drive Encryption Overview.
Acronym for Bring Your Own
An object name in Active Directory in canonical form. Also, the value of the canonicalName attribute of the object. The canonical name of the object appears on the "Object" tab of the Active Directory Users and Computers (ADUC) mmc.
If the distinguished name of an object is "cn=Jim Smith,ou=Sales,ou=West,dc=mydomain,dc=com", then the canonical name will be "mydomain.com/West/Sales/Jim Smith".
Acronym for Common Information Model. The repository in the WMI schema that stores class definitions that model WMI managed resources. See
Common Information Model.
Defines a distinct type of object. Each instance of the class is an object with the attributes specified in the
Schema, but the attributes will generally have different values.
A computer workstation, where users run applications. If the workstation is connected to a network, the users can take advantage of services provided by
servers. Also, in client-server applications the client is the part of the application that runs on a client workstation. See
Acronym for Common Name. Also the moniker for objects with a common name in their
distinguished names, for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com".
Name of the attribute with lDAPDisplayName cn, which is the naming attribute for objects of class user, contact, computer, group, and container. The Relative Distinguished Name (RDN) of these objects is the value
of the cn attribute, also referred to as the common name of the object. The moniker "cn" is also used in the distinguished names of these objects (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com").
The container in Active Directory that specifies the configuration of the
forest. Specifies such things as partitions, sites, servers, display specifiers, services, physical locations, well-known security principals, and forest updates.
More commonly called an operational attribute. An attribute in Active Directory that is calculated by a domain controller on request, rather than being stored in the directory service database.
An object in Active Directory that can contain other objects. The objects most commonly referred to as containers have a Common Name (the naming attribute is the cn attribute). These containers
cannot have group policies applied to them. They can contain users, contacts, groups, computers, and other containers.
Organizational units (the naming attribute is the ou attribute) are also containers. They can contain the same objects, plus other organizational units, and they can have group policies applied. In addition,
computer objects in Active Directory can contain objects like NTFRS Subscriptions and Service Connection Point (SCP) Objects.
Command line utiltity to import objects into and export objects from Active Directory using comma delimited text files.
Acronym for Discretionary Access Control
DACLs and ACEs.
Acronym for Domain Controller. Also the moniker for
Domain Component, as used in distinguished names (for example "dc=mydomain,dc=com").
The process used by clients to discover domain controllers. See
How Domain Controllers are Located in Windows.
Domain Controller Diagnostics Tool. Command line utility used to analyze and report on the state of
domain controllers. See
Utility used to promote a computer with a Windows Server operating system that is joined to a domain into a
domain controller. Installs Active Directory Domain Services (AD DS). Also used to demote a domain controller by removing AD DS. Note that Server Manager is used instead of dcpromo to promote or demote a computer with Windows
Server 2012 or higher.
Acronym for Dynamic Domain Name
System, or Dynamic DNS. See
Acronym for Data Encryption Standard. A specification for the encryption of electronic data used by
Kerberos. Superceded by the Advanced Encryption Standard (AES). See
Data Encryption Standard.
Acronym for Domain Functional Level. Specifies the versions of Windows Server supported as domain controllers in the
domain, and the features of Active directory that are available.
Acronym for Distributed File System. Client and server services that allow servers to organize distributed file shares into a distributed file system. See
Distributed File System (Microsoft).
Acronym for Distributed File System
Distributed File System Replication.
Acronym for Dynamic Host Configuration
Protocol. Service that provides centralized control of Internet Protocol (IP) addresses. DHCP servers assign dynamic
IP addresses and TCP/IP settings to other computers. See
DHCP (Dynamic Host Configuration Protocol) Basics.
Repository of network operating system information to manage users and other resources in a networks. The Microsoft directory service product is Active Directory Domain Services (AD DS).
A string that uniquely identifies an object in Active Directory. Used by the LDAP provider to bind to the object. Sometimes abbreviated DN, this specifies the name of the object (the
Relative Distinguished Name) in it's parent
container, and the location of the object in the hierarchical structure of Active Directory. The DN of an object is a string of components (Relative Distinguished Name's) separated by commas (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com").
The distinguished name combined with the "LDAP://" moniker forms the ADsPath of the object.
Acronym for Directory Information Tree. The Active Directory database file on a Domain Controller is referred to as the DIT. The file name is ntds.dit
Acronym for Domain Name System. The service that resolves computer names into IP
addresses. See Domain Name System.
DNS Host Name
The Domain Naming System host name of any computer in Active Directory is the name used by DNS. An example would be host.mycompany.mydomain.com, where "host" is the Relative Distinguished Name of the computer and
"mycompany.mydomain.com" is the DNS name of the domain.
An X.500-based hierarchical database of containers and objects. Microsoft domains have a DNS domain name, a security service to authenticate and authorize access to resources, and policies that dictate functionality.
Domains are boundaries for administration and replication.
A server with Active Directory installed. A domain controller (DC) is authoritative for the domain to which the server is joined. It contains the Active Directory database for the domain
namespace, plus the Configuration and Schema namespaces for the
Domain Naming Master
The Domain Naming Master role holder is the domain controller that controls changes to the forest-wide namespace. One of the five Flexible Single Master Operator (FSMO) roles. The domain controller with
this role can add, remove, rename, or move domains in the
forest. It is also required to create application partitions. One domain controller in the forest must hold this role.
Command line utility to detect differences between naming contexts on domain controllers. See
Function to retrieve the name of a domain controller in a specified domain. See
Command line utility used to query Active Directory. See
Acronym for Directory Services Restore
Mode. Used on Domain Controllers to take the instance of Active Directory on that computer offline, possibly for maintenance or troubleshooting. Requires a DSRM password.
The escape character in Active Directory is the backslash character, "\". Some characters in
distinguished names, such as commas, must be escaped with this character.
Acronym for Extensible Storage Engine. The Jet-based ISAM data storage technology used in Active Directory and Exchange. Also called Jet Blue. Allows data storage and retrieval using
indexed and sequential access. See
Extensible Storage Engine.
Computer networking technologies for Local Area Networks (LANs). See
Acronym for Filtered Attribute Set, the subset of attributes that are not replicated to Read-Only Domain Controllers (RODC's). See
RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC.
Acronym for Forest Functional Level. Specifies the versions of Windows Server supported as domain controllers in the
forest, and the features of Active directory that are available.
Acronym for Fine-Grained Password
Policy. A feature in Windows Server 2008 (and above) to define different password and account lockout policies for different sets of users in a
AD DS: Fine-Grained Password Policies.
Fine-Grained Password Policy (FGPP). A feature in Windows Server 2008 (and above) to define different password and account lockout policies for different sets of users in a
AD DS: Fine-Grained Password Policies.
A collection of Active Directory trees that share a Configuration container and Schema and are connected through
trusts. The forest acts as a security boundary for an organization and defines the scope of authority for administrators.
A DN (Distinguished Name) syntax attribute in Active Directory that is linked through a Link Table to a related back link attribute, also DN syntax. When the forward link is modified,
the system automatically updates the link table for the back link attribute. For example, the member attribute of group objects is the forward link, while the memberOf attribute is the related back link.
Acronym for Fully Qualified Domain
Fully qualified domain name.
Acronym for File Replication Service. Service for distributing shared files and Group Policy Objects (GPO's). See File Replication Service.
Acronym for Flexible Single Master
Operator. These are roles that are assigned only to designated
domain controllers, either one in each domain, or one in the
forest. The five FSMO roles are:
Fully Qualified Domain Name
The Fully Qualified Domain Name (FQDN) of a computer is the host name (the NetBIOS name) of the computer, followed by a dot, followed by the DNS name of the domain. The value of the sAMAccountName
of the computer should be the NetBIOS name with the "$" character appended at the end. If the distinguished name of the domain is "dc=mycompany,dc=mydomain,dc=com", then the DNS name of the domain will
be "mycompany.mydomain.com". If a computer in this domain has host name "mycomputer", then the FQDN will be "mycomputer,mycompany.mydomain.com". The FQDN of other classes of objects, like users, will be the value of the sAMAccountName attribute, followed by
a dot, followed by the DNS name of the domain. See
Fully qualified domain name.
Specifies the versions of Windows Server supported as domain controllers in the domain or
forest, and the features of Active directory that are available.
Acronym for Global Catalog.
A read-only catalog of all objects in a
forest, which contains a subset of the attributes. The subset of attributes is called the partial attribute set (PAS). A domain controller can be designated a GC.
Acronym for Group Policy. See
Step-by-Step Guide to Understanding the Group Policy Feature Set.
Acronym for Group Policy Management
Console, the MMC used to manage group policy objects.
Acronym for Group Policy Object. See
Group Policy Objects.
Acronym for Group Policy Preferences. See
Group Policy Preferences Getting Started Guide.
Command line utility to display the Resultant Set of Policy (RSoP) for a user or computer. See
Command line utility to update group policy settings. See
An object in Active Dirctory that can have members. Permissions can be granted to security groups (not distribution groups) to give all members access to resources. Members can be users, contacts, computers, or other groups.
Policies linked to Active Directory domains,
organizational units, or groups, which are applied to the child objects within. Group Policies are defined in Group Policy Objects (GPO's). See
Step-by-Step Guide to Understanding the Group Policy Feature Set.
Group Policy Preferences
Group Policy Preferences Getting Started Guide.
Acronym for Globally Unique IDentifier. A 128-bit value that should uniquely identify an object. The value is usually displayed as 32 hexadecimal digits. Every object in Active Directory has an objectGUID
attribute, which is the GUID of the object. See
Globally unique identifier.
A computer connected to a network. Also called a network node.
Acronym for Hold Your Own
Interfaces supported by ADSI. Exposes methods and properties of namespace objects. See
Acronym for Identity and Access Managment. See
Identity and Access Management.
Acronym for Internet Authentication
Server. Provides centralized authentication services in Windows Server operating systems. Replaced by Network Policy Server (NPS) in Windows Server 2008.
Acronym for Install From Media, a feature for installing software or enabling features from media. See
Installing AD DS from Media.
Acronym for Internet Information Services. Also sometimes referred to as
Internet Information Server. See
Internet Information Services (IIS).
The Infrastructure Master role holder is the domain controller that maintains references, called phantoms, to objects in other
domains. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator (FSMO) roles.
Inheritance is when an object or class is based on another object or class. See
Class Inheritance in the Active Directory Schema.
A specific realization of something, such as a class of objects. You instantiate a class to create an instance of the
object. You can then assign values to the attributes of the object. The attributes available are defined by the class in the
schema. An instance of Active Directory is the installation of Active Directory on a specific
Acronym for Infrastructure Planning and
Design guide. Documents providing guidance on design of infrastructure for Microsoft products.
Acronym for Indexed Sequential Access
Method. A method of indexing data for fast retrieval. The Extensible Storage Engine (ESE) used in Active Directory is an implemention of ISAM. See
Acronym for InterSite Topology
Generator. Automatically creates connection objects in Active Directory between domain controllers to enable
The Role of the Inter-Site Topology Generator in Active Directory Replication.
Jet Database Engine
Jet is the acronym for Joint Engine
Technology. Active Directory and Exchange use a Jet-based ISAM data storage technology called Extensible Storage Engine (ESE). See
Microsoft Jet Database Engine.
Acronym for Knowledge Consistency Checker. A process in Active Directory that automatically generates and maintains connection objects that describe which naming contexts should be replicated
between which domain controllers and when. See
KCC Replication Path Computation.
Acronym for Kerberos Constrained Delegation. See
About Kerberos constrained delegation.
Primary authentication method used in Active Directory domains. Uses encrypted tickets to verify the identity of users and services. Older operating systems support DES encryption. Vista, Windows Server 2008, and
newer operating systems support AES encryption.
Acronym for Local Administrator Password
Solution. A Microsoft password management solution for local administrator account passwords. Sets a different random password on every computer in a domain. The passwords are stored in a confidential attribute of the corresponding computer
object in Active Directory. See
Microsoft Security Advisory 3062591.
Acronym for Lightweight Directory Access
Protocol. A language based on the X.500 directory standard that allows clients and servers to communicate. The LDAP provider allows access to the hierarchical structure of Active
Directory, or any LDAP compliant database. The LDAP syntax is a filter syntax used to query LDAP compliant databases. See
Lightweight Directory Access Protocol.
In the Active Directory each attribute is represented by an object in the
Schema Container, which itself has attributes. Each attribute object has a common name (the value of the cn attribute of the attribute object) and an LDAPDisplayName. When referring to an attribute
programmatically, such as in a script or command line utility, you must use the LDAPDisplayName. This is the name used by LDAP clients, such as the ADSI provider. However, it is also used by the PowerShell
cmdlets, since it uniquely identifies the attribute. In this way the attribute is similar to the sAMAccountName attribute of user, computer,
or group objects in Active Directory.
Acronym for LDAP over SSL. See
LDAP over SSL (LDAPS) Certificate.
Acronym for LDAP Data Interchange
Format. A standard plain text data interchange format. Represents directory content as records for update requests. Used by the ldifde command line utility. See
LDAP Data Interchange Format.
Command line utility to import objects into and export objects from Active Directory using ldif format text files. Can be used to create, modify, and delete Active Directory objects. See
Acronym for LDAP Directory Probe. A graphical user interface (GUI) based LDAP client utility used to search, browse, and update LDAP compliant directories, such as Active Directory. See
The value of a linked multi-valued attribute that was added to Active Directory when the Forest Functional Level was Windows 2000. Such values do not take advantage of
Linked Value Replication. The repadmin tool reports these values as "LEGACY". See
Remediate Active Directory Members that Don't Support LVR.
Lingering objects can occur if a domain controller does not replicate for an interval of time longer than the tombstone lifetime (TSL),
and then reconnects to the replication topology. Objects that were deleted from Active Directory during this time can remain on the domain controller as lingering objects. See
Information about lingering objects in a Windows Server Active Directory forest.
Most attributes are stored directory in the Active Directory database. But linked attributes use a Link Table. The forward link is saved in the AD database, but the value of the corresponding back
link is retrieved using the entry in the link table. See
How the Data Store Works.
Linked attributes are pairs of attributes. The forward link is one you can update. The back link is a related attribute that is automatically updated by the system when the forward
link is updated. Only the forward link is actually saved in Active Directory. A link table determines the value of the back link. Both attributes must be DN (Distinguished Name) syntax. See
How the Data Store Works.
Linked Value Replication
Linked value replication (LVR) is how linked multi-valued attributes replicate when they are updated. Instead of the entire
attribute, only the individual updated values in the attribute are
replicated. Requires Windows Server 2003 Interim mode or Windows Server 2003 Forest Functional Level or higher. When a non-linked multi-valued attribute is updated, the entire attribute must be replicated.
An attribute defined in the schema as mandatory for a class objects. Every instance of the class of object must have a value assigned to these attributes.
A computer running a Windows Server operating system (a server) that is a member of an Active Directory
domain, but is not a domain controller.
Metadata is data about data. For example, replication metadata is data about replication events, such as the originating source, the USN number, and the date and time of the replication. See
Function or procedure implemented by code. See
Method (computer programming).
Acronym for Multi-Factor Authentication. Authentication that requires more than one verification method. Adds a second layer of security to logons. The verification methods can include: a password, biometrics,
challenge response question, trusted device characteristics, or a pin communicated to a trusted email account or mobile device. A related concept is
Two-Factor Authentication, or
Acronym for Microsoft Identity Manager. The latest version of Microsoft’s Identity and Access management (IAM) product suite. See
Microsoft Identity Manager.
A domain that supports Windows NT
domain controllers. The domain does not support
nested groups. The alternative is Native Mode. The distinction only applies to Windows 2000 Server Domain Functional Level (DFL).
Acronym for Microsoft Management Console. An extensible service for management applications. Provides a user interface allowing addition of snap-ins to manage services in a GUI
Acronym for Managed Service Account. See
Introducing Managed Service Accounts.
Acronym for MicroSoft Authentication
Library. More commonly referred to as the Azure Active
Directory Authentication Library. See
An Active Directory attribute that can have more than one value. Most attributes are single-valued. They can have only one value (or no value). Multi-valued attributes can have no value, one value, or more than one. For example,
the "member" attribute of a group object is a collection of the distinguished names of all objects that are direct members of the group.
A container for a set of identifiers or names. A namespace groups names by functionality. The same object can be represented in more than one namespace, each with different naming conventions. For example, an Active Directory object
can be represented in WinNT, a flat namespace, or in
LDAP, a hierarchical namespace. A .NET namespace would be system.DirectoryServices.ActiveDirectory.
A contiguous sub-tree of the directory that is a unit of replication. In Active Directory each domain controller has at least three Naming Contexts (also called NC
replicas): The Schema NC, the Configuration NC, and the domain naming context.
A domain that does not support Windows NT
domain controllers. The domain also supports nested groups. The alternative is
Mixed Mode. The distinction only applies to Windows 2000 Server Domain Functional Level (DFL).
Command line utility to report NetBIOS over TCP/IP statistics. See
Acronym for NetBIOS over TCP/IP, sometimes also called NetBT. A networking protocol that allows legacy applications that rely on the NetBIOS API
to work in TCP/IP networks. See
NetBIOS over TCP/IP.
Acronym for Naming Context. A partition (namespace) in Active Directory. Examples include the
Configuration container, the Domain Naming context for each
domain, and any application partitions. See
Naming Contexts and Directory Partitions.
A group object in Active Directory that is a member of another group.
The .NET Framework is a programming model designed to replace the Win32 and COM APIs. The major components are the Common Language
Runtime (CLR) and the .NET Framework class libraries.
Acronym for Network Basic Input/Output
System. Service allowing applications on separate computers to communicate over a network. Uses NetBIOS over TCP/IP
(NBT) protocol. The NetBIOS name of a computer is generally the first 15 characters of the host name, followed by the "$" character. NetBIOS name to IP
address resolution is provided by the WINS service on a WINS
Acronym for NetBIOS over TCP/IP, also called NBT. A networking protocol that allows legacy applications that rely on the NetBIOS API
to work in TCP/IP networks. See NetBIOS over TCP/IP.
Command line utility to diagnose network and connectivity problems. Not supported after Windows Server 2003. See
Command line utility to manage Active Directory domains and
A service that verifies NTLM logon requests. It registers, authenticates, and locates domain controllers. Also, the Netlogon share stores logon scripts and possibly other files. See
Acronym for Network statistics. Command line utility to display information on network connections. See
Command line utility to perform network administration tasks. See
Acronym for Network Operating System. An operating system installed on a server that allows clients to communicate and share resources on the server. See Network operating system.
Acronym for Network Policy Server. Microsoft's implementation of Remote Authentication Dial-In User Service (RADIUS).
Originally the Internet Authenication Server (IAS) role service (before Windows Server 2008). See Network Policy Server.
Command line utility to diagnose Domain Name Service (DNS) infrastructure problems. See
Acronym for Windows NT, a family of Microsoft operating systems. NT originally was the acronym for
New Technology. See
Command line utility to manage Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). See
Acronym for NT File Replication
Service. Service for distributing shared files and Group Policy Objects (GPO's). See File Replication Service.
Acronym for Network Time Protocol. Protocol for time synchronization between computer systems. See
Network Time Protocol.
An entry in the directory of a specific class. Objects in Active Directory have attributes appropriate for their class.
Acronym for Object IDentifier. For example, each attribute in the Active Directory schema has a unique X.500 OID (the value of the attributeID attribute
of the attribute). All OID values created by Microsoft begin with 1.2.840.113556. OID values are also used to identify attribute syntaxes and filter matching rules. See Object identifier.
A third party identity provider that implements single sign-on using the WS Federation/WS-Trust identity standard. See
Azure Active Directory federation compatibility list: third-party identity providers that can be used to implement single sign-on.
A command line tool developed by Joe Richard (DS-MVP) to query Active Directory for unused computer or user accounts. Can be also clean up the accounts. See
An attribute in Active Directory that is calculated by a domain controller on request, rather than being stored in the directory service database. Also called a constructed attribute.
An attribute defined in the schema as optional for a class of objects. Any instance of the class of object can have a value assigned to any
of these attributes, but they are not required to have a value.
A type of container in an Active Directory
domain. It can contain objects like users, computers, contacts,
groups, or other OU's or containers. OU's can also have group policies applied.
Acronym for One Time Password. See
Strong Authentication with One-Time Passwords in Windows 7 and Windows Server 2008 R2.
Acronym for Organizational Unit. Also the naming attribute for organizational unit objects in Active Directory, and the moniker used in their distinguished names (for example "ou=West,dc=mydomain,dc=com").
A subdivision of a database. In Active Directory, each naming context is a partition. Also called a
Acronym for Partial Attribute Set. The subset of attributes of the objects replicated to the
Global Catalog. See
Active Directory: Attributes in the Partial Attribute Set.
Acronym for Password Change Notification
Service. Enables synchronization of passwords between Active Directory and other identity systems. See
Password Change Notification Service.
Acronym for Primary Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts
no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.
Acronym for PDC emulator or Primary
Domain Controller emulator. See
The PDC Emulator role holder acts as the Windows NT Primary Domain Controller (PDC) for backward compatibility. It also is used to forward password changes immediately to other domain controllers and serves as the primary
time source for the domain. The PDC Emulator is also targeted by most Group Policy tools. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator roles (FSMO).
Scripting language and command line shell based on C# and the Microsoft .NET Framework. PowerShell statements can be entered one at a time in the PowerShell command line shell, or in a script with the statements saved in a file with the
Pre-Windows 2000 Name
The value of the sAMAccountName attribute of user and group objects in Active Directory. For computer objects, it
is the NetBIOS name of the machine (the sAMAccountName is the NetBIOS name with the "$" character appended to the end). For user objects in the Active Directory Users and Computers
mmc, the field is called the "pre-Windows 2000 logon name".
Each user and computer object in Active Directory has one group designated as their "primary" group. By default the primary group for users is the "Domain Users" group. The default primary group for computer objects is the "Domain Computers"
group. Primary group membership is not included in the memberOf attribute of the user or computer, or in the member attribute of the group.
Fixed values assigned to objects. In Active Directory, the properties of objects are often referred to as
attributes. Active Directory attributes themselves have properties as specified in the
Library of interfaces including methods and properties that expose directory
namespaces. Active Directory is supported by the LDAP and WinNT providers.
Acronym for Password Setting Object. Objects in the System container of Active Directory that implement Fine-Grained Password Policies (FGPP). See
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide.
Acronym for Relative Distinguished Name. The name of an
object in Active Directory relative to it's location in the hierarchical structure of Active Directory. The Relative Distinguished Name will be the lowest level component of the
Distinguished Name (DN). The RDN must be unique in the parent
container or Organizational Unit (OU), while the Distinguished Name will be unique in the
A container for retaining deleted objects temporarily. The deleted objects can be restored until the recycle bin is emptied, after which the objects are permanently deleted. See
Active Directory Recycle Bin Step-by-Step Guide.
Relative Distinguished Name
The name of an object in Active Directory relative to it's location in the hierarchical structure of Active Directory. The Relative Distinguished Name, abbreviated RDN, will be the lowest level component of the Distinguished
Name (DN). The RDN must be unique in the parent container or Organizational Unit (OU), while the Distinguished Name will be unique in the
Command line utility to diagnose Active Directory replication between
domain controllers. See
A copy of an Active Directory namespace (or
naming context) on a domain controller that replicates with other domain controllers.
The process by which domain controllers keep their Active Directory databases synchronized. See
How Active Directory Replication Works.
Acronym for Relative IDentifier. All security principals (users, computers, and groups) in Active Directory have a Security ID (SID). SID values include several components,
including the RID. The SID without the RID is the same for all objects in a
domain. The RID value uniquely identifies the object in the domain.
The RID Master role holder is the domain controller responsible for assigning pools of RID's to all domain controllers in the
domain. A RID is required whenever a security principal is created in Active Directory. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator roles (FSMO).
Acronym for Read-Only Domain
Controller. Cannot be used to update objects in Active Directory. See
AD DS: Read-Only Domain Controllers.
Acronym for Root Directory Service
Entry (or Root DS Entry), an object required of all LDAP compliant directories (such as Active Directory). Exposes a set of properties that are characteristic of the directory.
Acronym for Remote Server Administration
Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki).
Acronym for ReplicateSingleObject. A Read-Only Domain Controller (RODC) can request replication of a specifc object with functionality
known as a Replicate-Single-Object operation. See replicateSingleObject.
Acronym for Resultant Set of
Resultant Set of Policy (RSoP).
Acronym for Recipient Update Service. See Recipient Update Service.
Acronym for Read-Write Domain
Controller. A writeable domain controller, meaning it can be used to update objects in Active Directory. All domain controllers are writeable, unless they are a Read-Only Domain Controller
Acronym for System Access Control
Access Control Lists.
Acronym for Security Account Manager, the Windows NT account database format. A Windows NT SAM account database exposes a flat namespace (with no hierarchy). See
Security Accounts Manager.
The logon name used to support clients and servers running earlier versions of Windows. Also called the "Pre-Windows 2000 logon name". See
Acronym for Security Assertion Markup
Language. An XML based standard for exchanging authentication and authorization data between an identity provider and
a service or application. See Security Assertion Markup Language.
Acronym for Simple Authentication and
Security Layer. A framework for authentication and data security on the Internet. See
Simple Authentication and Security Layer.
Defines the structure of the data in a database. In Active Directory, the Schema container defines the object classes and the attributes that apply to each class in Active Directory.
The container within the Configuration container with objects that define the classes in Active Directory and the attributes that apply to the classes.
The Schema Master role holder is the domain controller that can make changes to the
Schema. One domain controller in the forest must hold this role. One of the five Flexible Single Master Operator roles (FSMO).
Acronym for Service Connection Point object. An object that represents one or more instances of a service and is used to connect to the service. These are objects in Active Directory
usually published under the computer object where the corresponding service is installed. Used to maintain information about the service. See
Publishing with Service Connection Points.
Acronym for Security Descriptor Propagator. See
AdminSDHolder, Protected Groups and SDPROP.
Acronym for System.DirectoryServices namespace. The primary namespace used for code that targets Active Directory in the .NET Framework. See
An object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE).
A computer with a server operating system that can share resources in a network. A Domain Controller is one type of server.
Acronym for Security IDentifier. All objects in Active Directory that are security principals (users, computers, groups) have the objectSID attribute, which is a SID.
The SID uniquely identifies the object for security permissions. The SID value includes several components, including a RID (Relative ID). The SID without the RID is the same for all objects in the
domain. Each security principal object in an Active Directory domain has its own unique RID value.
An Active Directory site defines the boundaries of high-speed connectivity for optimal replication and authentication. Sites are defined in the Configuration container of Active Directory.
An object in Active Directory that defines the connection between
sites, allowing them to replicate with each other.
Acronym for Simple Network Time
Protocol. A less complex implementation of NTP. See
Acronym for Start Of Authority. Records created by Read-Only Domain Controllers for read-only DNS zones. Also acronym for
Service Oriented Architecture. Software architecture where discrete pieces of software provide application functionality as services to other applications. See Service-oriented architecture.
Acronym for Service Principal Name. The name by which a client uniquely identifies an instance of a service. Each instance of a service must have its own SPN, but a given service instance can have multiple
SPN's. See Service Principal Names.
Service Records. See SRV record.
Acronym for Secure Sockets Layer. Predecessor to Transport Layer Security (TLS). See
Transport Layer Security.
Acronym for Single Sign On. A Property of access control of multiple related but independent software systems that allows users to logon once and gain access to all systems without being prompted to logon
again. See Single sign-on.
A computer running a Windows Server operating system (a server) that is not a member of an Active Directory
A portion of a network defined by a subnet mask applied to the IP addresses of the components. Subnets are defined in the Configuration container of Active Directory.
A collection of folders and reparse points in the file system that exists on each domain controller in a
domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers
within that domain. See
Introduction to Administering SYSVOL.
Acronym for Ticket Granting Service.
See Kerberos (protocol).
Acronym for Ticket Granting Ticket. Encrypted file granting access for a user to data protected by a Key Distribution Center (KDC). Contains session key, expiration date, and user IP
Acronym for Transport Layer Security. Successor to Secure Sockets Layer (SSL). See
Transport Layer Security.
Deleted objects in the "Deleted Objects" container are referred to as tombstones. When an object is deleted from Active Directory it, with most of its
attributes, is moved to the "Deleted Objects" container. Objects remain in this container, where they can be reanimated, for the tombstone period after which they are permanently deleted.
A collection of Active Directory hierarchical domains in a contiguous
A relationship between domains that allows access by objects in one domain to resources in another.
The identity of the object to which an Access Control Entry applies.
Acronym for Tombstone Lifetime. The number of days before a deleted object is removed from the directory services. See
Acronym for User Principal Name, or the userPrincipalName
Acronym for Update Sequence Number. Used in Active Directory replication. A counter on each domain controller used to determine what changes should be replicated. See
Acronym for Up-To-Datedness
Visual Basic Script Edition, a subset of the classic Visual Basic language. Programs written in VBScript are saved in files with the .vbs extension. VBScript programs can be run with either of two host programs, cscript.exe or wscript.exe.
Acronym for Virtual List View. Searching capability allowing display of results without returning every entry. See
Virtual List VIew (VLV) and Active Directory - What's it Good For?
Service that synchronizes the time on all computers in the forest.
Acronym for Windows Azure Active
Directory. Also known as Azure Active Directory (AAD). Active Directory Domain Services in the Windows Azure cloud. Windows Azure is the Microsoft cloud computing platform, and one of the services available is Active Directory.
Windows NT namespace provider, supporting the Windows NT SAM account database. The WinNT provider can also be used to access Active Directory, but it exposes it as a flat namespace.
Acronym for Windows Internet Naming
Service. Resolves computer NetBIOS names into IP Addresses. See
Windows Internet Name Service.
Acronym for Windows Management Instrumentation. WMI is management technology allowing scripts and programs to monitor and control managed resources throughout the network. Resources include hard drives,
file systems, operating system settings, processes, services, shares, registry settings, networking components, event logs, users, and groups. See Windows Management Instrumentation.
A computer with a non-server operating system used by users, as opposed to a
server. A workstation can be joined to a domain.
Acronym for Web Proxy AutoDiscovery. A service provided via either DHCP or DNS to help clients automatically find a proxy server. See
Web Proxy Autodiscovery Protocol.
Acronym for WMI Query Language, as subset of ANSI Structured Query Language (SQL)
used to query WMI namespaces. See WQL.
Acronym for Windows Server Active
Directory. On premises Active Directory, as apposed to the cloud based Azure Active Directory (AAD)
Acronym for Windows Script Host, an ActiveX scripting host providing an environment for the execution of scripts using one of several scripting engines or languages, such as
VBScript or JScript.
Computer networking standards for directory services. Developed by ITU-T (International Telecommunications Union, Telecommunications
sector), formerly CCITT (International Telegraph and Telephone Consultative Committee). See
A collection of contiguous hierarchical domain names. Portions of the DNS namespace delegated to one or more name