What is Active Directory?
Active Directory (AD) is a Microsoft service used for central authentication, authorisation and management of users, computers and network resources within a Windows domain. It forms the backbone of identity management in many IT environments — and increasingly in OT networks too.
Active Directory enables organisations to manage user permissions, group memberships, passwords and access rights centrally.
🧠 How does Active Directory work?
- Domain controllers maintain the AD database, which holds objects such as users, devices and policies
- Users sign in with a domain user account and are authenticated through the Kerberos or NTLM protocol
- Group Policy objects (GPOs) can enforce settings on devices (such as password policies or software installations)
- AD works alongside protocols such as LDAP, DNS and RADIUS to control access to networks and applications
- AD can be integrated with 802.1X, SIEM, RBAC and Firewall systems
Domain hierarchy: Forest > Domain > Organizational Unit (OU) > Objects
🏭 Use of Active Directory in OT networks
- Authentication of maintenance and engineering accounts on Engineering Stations
- Access management for HMIs, SCADA, Historian and Remote Access using AD users
- Centralised logging and auditing through SIEM
- 802.1X + RADIUS authentication with AD accounts for switch access
- Group policies for structured management of Windows-based OT systems
Active Directory extends identity and access management from the IT layer into the OT layer — provided it is implemented carefully.
🔍 Active Directory vs. LDAP
| Aspect | Active Directory | LDAP (Lightweight Directory Access Protocol) |
|---|---|---|
| Role | Full directory platform | Protocol for accessing directories |
| Developer | Microsoft | Open standard |
| Functionality | User, policy and authentication management | Querying and updating directory data only |
| Used for | Domains, GPOs, integration with Windows services | Network access to directory structures |
🔐 Security considerations
- Use multi-factor authentication (MFA) for AD administrators and external access
- Implement RBAC with separated OT and IT roles
- Restrict domain access from OT using Firewall, VLAN and network segmentation
- Use SIEM to monitor sign-in attempts and privilege escalations
- Harden domain controllers with Least Privilege principles and regular updates
A compromised AD account can grant access to a large portion of the network — segmentation is essential.
📌 In summary
Active Directory provides centralised control over user identity and access management in hybrid IT/OT networks. With careful segmentation and security, it is a powerful tool for managing industrial environments safely.