Active Directory provisioning

Active Directory provides directory services with a rich security structure that can be used as a base service for hosted applications. Microsoft Provisioning System includes the Active Directory Provider and the Managed Active Directory namespace that automate Active Directory provisioning tasks.

Delegated Administration Console is an example of a service that uses Active Directory. Active Directory enables the delegated administration of provisioned Web and e-mail services from Delegated Administration Console. Active Directory stores information about the access rights that user accounts have to objects in the directory and verifies permissions whenever a user account requests an object.

As described in Active Directory implementation architecture, when you install Delegated Administration Console, Setup initializes Active Directory for hosting in a multiple-tenant environment. To enable delegated administration, when you create a new organization, Microsoft Provisioning System creates appropriate Active Directory organizational units and security groups. It then sets access control entries (ACEs) on the organization's objects in the directory so that only authorized users can access and manipulate them. When you use Delegated Administration Console to provision a Web site for an organization, Microsoft Provisioning System automatically creates the site and sets ACEs on its folders and metabase objects to allow organization administrators to manage the Web site.

If you decide to implement additional hosted services by using the providers included with Microsoft Provisioning Framework (MPF), you can use Active Directory as a base service in a similar manner.

For more information about the Active Directory Provider, see Active Directory Provider. For more information about the non-provider namespace that Microsoft Provisioning System provides for Active Directory, see Managed Active Directory.