access control entry (ACE)

An entry in an object's discretionary access control list (DACL) that grants permissions to a user or group. An ACE is also an entry in an object's system access control list (SACL) that specifies the security events to be audited for a user or group.

See also: access control list (ACL); discretionary access control list (DACL); object; permission

access control list (ACL)

A list of security protections that apply to an entire object, a set of the object's properties, or an individual property of an object. There are two types of access control lists: discretionary and system.

See also: access control entry (ACE); discretionary access control list (DACL); object


See definition for: access control entry (ACE)


See definition for: access control list (ACL)

Active Directory

The directory service that stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.

See also: domain; forest


The process that tracks the activities of users by recording selected types of events in the security log of a server or a workstation.


The process for verifying that an entity or object is who or what it claims to be. Examples include confirming the source and integrity of information, such as verifying a digital signature or verifying the identity of a user or computer.


The process that determines what a user is permitted to do on a computer system or network.


There are no glossary terms that begin with this letter.



In data storage, the smallest amount of disk space that can be allocated to hold a file. All file systems used by Windows organize hard disks based on clusters, which consist of one or more contiguous sectors. The smaller the cluster size, the more efficiently a disk stores information. If no cluster size is specified during formatting, Windows picks defaults based on the size of the volume. These defaults are selected to reduce the amount of space that is lost and the amount of fragmentation on the volume. Also called an allocation unit.

In computer networking, a group of independent computers that work together to provide a common set of services and present a single-system image to clients. The use of a cluster enhances the availability of the services and the scalability and manageability of the operating system that provides the services.

Cluster service

The essential software component that controls all aspects of server cluster operation and manages the cluster database. Each node in a server cluster runs one instance of the Cluster service.

See also: cluster; server cluster


See definition for: Component Object Model (COM)

Component Object Model (COM)

An object-based programming model designed to promote software interoperability; it allows two or more applications or components to easily cooperate with one another, even if they were written by different vendors, at different times, in different programming languages, or if they are running on different computers running different operating systems. Object linking and embedding (OLE) technology and ActiveX are both built on top of COM.



See definition for: discretionary access control list (DACL)

Delegated Administration Web Console

A browser-based tool for managing Microsoft Provisioning System. It enables the delegation of administration by selectively presenting administrative options to users based on their logon credentials.

discretionary access control list (DACL)

The part of an object's security descriptor that grants or denies specific users and groups permission to access the object. Only the owner of an object can change permissions granted or denied in a DACL; thus, access to the object is at the owner's discretion.

See also: access control entry (ACE); object


See definition for: Domain Name System (DNS)


In Active Directory, a collection of computer, user, and group objects defined by the administrator. These objects share a common directory database, security policies, and security relationships with other domains.

In DNS, any tree or subtree within the DNS namespace. Although the names for DNS domains often correspond to Active Directory domains, DNS domains should not be confused with Active Directory domains.

See also: Active Directory; Domain Name System (DNS); object

domain controller

In an Active Directory forest, a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. Administrators can manage user accounts, network access, shared resources, site topology, and other directory objects from any domain controller in the forest.

See also: Active Directory; authentication; forest

domain name

The name given by an administrator to a collection of networked computers that share a common directory. Part of the Domain Name System (DNS) naming structure, domain names consist of a sequence of name labels separated by periods.

See also: domain; Domain Name System (DNS)

Domain Name System (DNS)

A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.

See also: domain


Extensible Markup Language (XML)

A meta-markup language that provides a format for describing structured data. This facilitates more precise declarations of content and more meaningful search results across multiple platforms. In addition, XML enables a new generation of Web-based data viewing and manipulation applications.



The process of taking resource groups offline on one node and bringing them back online on another node. When a resource group goes offline, all resources belonging to that group go offline. The offline and online transitions occur in a predefined order, with resources that are dependent on other resources taken offline before and brought online after the resources upon which they depend.

See also: resource


One or more Active Directory domains that share the same class and attribute definitions (schema), site and replication information (configuration), and forest-wide search capabilities (global catalog). Domains in the same forest are linked with two-way, transitive trust relationships.

See also: Active Directory; domain; global catalog; schema


See definition for: fully qualified domain name (FQDN)

fully qualified domain name (FQDN)

A DNS domain name that has been stated unambiguously so as to indicate with absolute certainty its location in the domain namespace tree. Fully qualified domain names differ from relative names in that they are typically stated with a trailing period (.)—for example,—to qualify their position to the root of the namespace.

See also: domain name; Domain Name System (DNS)


global catalog

A directory database that applications and clients can query to locate any object in a forest. The global catalog is hosted on one or more domain controllers in the forest. It contains a partial replica of every domain directory partition in the forest. These partial replicas include replicas of every object in the forest, as follows: the attributes most frequently used in search operations and the attributes required to locate a full replica of the object.

See also: Active Directory; domain controller; forest

globally unique identifier (GUID)

A 16-byte value generated from the unique identifier on a device, the current date and time, and a sequence number. A GUID is used to identify a particular device or component.


A collection of users, computers, contacts, and other groups. Groups can be used as security or as e-mail distribution collections. Distribution groups are used only for e-mail. Security groups are used both to grant access to resources and as e-mail distribution lists.

See also: domain

group name

A unique name identifying a local group or a global group to Windows. A group's name cannot be identical to any other group name or user name in its own domain or computer.


See definition for: globally unique identifier (GUID)



See definition for: Hypertext Transfer Protocol (HTTP)


A common connection point for devices in a network. Typically used to connect segments of a local area network (LAN), a hub contains multiple ports. When data arrives at one port, it is copied to the other ports so that all segments of the LAN can see the data.

Hypertext Transfer Protocol (HTTP)

The protocol used to transfer information on the World Wide Web. An HTTP address (one kind of Uniform Resource Locator [URL]) takes the form:



See definition for: Internet Information Services (IIS)


A circumstance that occurs when Windows allows one process to take on the security attributes of another.

Internet Information Services (IIS)

Software services that support Web site creation, configuration, and management, along with other Internet functions. Internet Information Services include Network News Transfer Protocol (NNTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP).

Internet Server Application Programming Interface (ISAPI)

An application programming interface (API) that resides on a server computer for initiating software services tuned for Windows operating systems.


See definition for: Internet Server Application Programming Interface (ISAPI)


There are no glossary terms that begin with this letter.


There are no glossary terms that begin with this letter.



See definition for: Lightweight Directory Access Protocol (LDAP)

Lightweight Directory Access Protocol (LDAP)

The primary access protocol for Active Directory. LDAP is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), that allows users to query and update information in a directory service. Active Directory supports both LDAP version 2 and LDAP version 3.

See also: Active Directory


Microsoft Management Console (MMC)

A framework for hosting administrative tools called snap-ins. A console might contain tools, folders or other containers, World Wide Web pages, and other administrative items. These items are displayed in the left pane of the console, called a console tree. A console has one or more windows that can provide views of the console tree. The main MMC window provides commands and tools for authoring consoles. The authoring features of MMC and the console tree itself might be hidden when a console is in User Mode.

Microsoft Provisioning Framework (MPF)

This definition not ready yet

Microsoft Provisioning System

Definition to come


See definition for: Microsoft Management Console (MMC)


See definition for: Microsoft Provisioning Framework (MPF)


native mode

In Windows 2000 domains, the domain mode in which all domain controllers in a domain are running Windows 2000 and a domain administrator has switched the domain operation mode from mixed mode to native mode. Native mode supports universal groups and nesting of groups. In native mode, domain controllers running Windows NT 4.0 or earlier are not supported.

In Windows .NET domains, native mode is referred to as Windows 2000 native, and it is one of three domain functional levels available.

See also: Active Directory

Network Load Balancing

A component of the Windows .NET Server family that provides high availability and scalability of servers using a cluster of two or more host computers working together. Clients access the cluster using a single IP address.

See also: cluster

Network Load Balancing cluster

Up to 32 Web servers from which Network Load Balancing presents a single IP address to Web clients and among which Network Load Balancing distributes incoming Web requests.

See also: Network Load Balancing



An entity, such as a file, folder, shared folder, printer, or Active Directory object, described by a distinct, named set of attributes. For example, the attributes of a File object include its name, location, and size; the attributes of an Active Directory User object might include the user's first name, last name, and e-mail address.

For OLE and ActiveX, an object can also be any piece of information that can be linked to, or embedded into, another object.

organizational unit

An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which a Group Policy object can be linked, or over which administrative authority can be delegated.

See also: Active Directory



A rule associated with an object to regulate which users can gain access to the object and in what manner. Permissions are granted or denied by the object's owner.

See also: object; privilege


A user's right to perform a specific task, usually one that affects an entire computer system rather than a particular object. Privileges are assigned by administrators to individual users or groups of users as part of the security settings for the computer.

See also: object; permission



A list of programs or tasks waiting for execution. In Windows printing terminology, a queue refers to a group of documents waiting to be printed. In NetWare and OS/2 environments, queues are the primary software interface between the application and print device; users submit documents to a queue. With Windows, however, the printer is that interface; the document is sent to a printer, not a queue.



See definition for: Redundant Array of Independent Disks (RAID)

Redundant Array of Independent Disks (RAID)

A method used to standardize and categorize fault-tolerant disk systems. RAID levels provide various mixes of performance, reliability, and cost. Some servers provide three of the RAID levels: Level 0 (striping), Level 1 (mirroring), and Level 5 (RAID-5).


Generally, any part of a computer system or network, such as a disk drive, printer, or memory, that can be allotted to a running program or a process.

For Device Manager, any of four system components that control how the devices on a computer work. These four system resources are interrupt request (IRQ) lines, direct memory access (DMA) channels, input/output (I/O) ports, and memory addresses.

For server clusters, a physical or logical entity that is capable of being managed by a cluster, brought online and taken offline, and moved between nodes. A resource can be owned only by a single node at any point in time.

See also: server cluster



The set of definitions for the universe of objects that can be stored in a directory. For each object class, the schema defines which attributes an instance of the class must have, which additional attributes it can have, and which other object classes can be its parent object class.

See also: object

security ID (SID)

A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name.

See also: group name


In general, a computer that provides shared resources to network users.

server cluster

A group of independent computer systems, known as nodes, working together as a single system to ensure that mission-critical applications and resources remain available to clients. A server cluster is the type of cluster that Cluster service implements.

See also: cluster


See definition for: security ID (SID)



For Message Queuing, the pairing of two or more actions that are performed together as a single action; the action succeeds or fails as a whole. Using Microsoft Distributed Transaction Coordinator (MS DTC) ensures that either both actions succeed or neither is executed.



See definition for: user principal name (UPN)

user principal name (UPN)

A user account name (sometimes referred to as the user logon name) and a domain name identifying the domain in which the user account is located. This is the standard usage for logging on to a Windows domain. The format is as follows: (as for an e-mail address).

See also: domain; domain name


There are no glossary terms that begin with this letter.


There are no glossary terms that begin with this letter.



See definition for: Extensible Markup Language (XML)


There are no glossary terms that begin with this letter.


There are no glossary terms that begin with this letter.