PlayUKlottery.com - win up to 42 million Pounds
Lesson 4: Controlling Access to Active Directory Objects

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 4: Controlling Access to Active Directory Objects

Every object in Active Directory directory services has a security descriptor that defines who has the permissions to gain access to the object and what type of access is allowed. Windows 2000 uses these security descriptors to control access to objects. To reduce administrative overhead, you can group objects with identical security requirements into one OU. You can then assign access permissions to the entire OU and all of the objects within it.

After this lesson, you will be able to

  • Explain how to control access to objects in Active Directory directory services with permissions.

  • View permissions on Active Directory objects.

  • Delegate control of an organizational unit.

Estimated lesson time: 55 minutes

Introducing Active Directory Permissions

Active Directory permissions provide security for resources by allowing you to control who can gain access to individual objects or object attributes, and the type of access that you will allow. You can use permissions to assign administrative privileges—for an OU, a hierarchy of OUs, or a single object—to a specific user or group.

An administrator or the object owner must assign permissions to the object before users can gain access to the object. Windows 2000 stores a list of user access permissions called the discretionary access control list (DACL), for every object in Active Directory directory services. The DACL for an object lists who can access the object and the specific actions that each user can perform on the object.

The object type determines which permissions you can select. Permissions vary for different object types. For example, you can assign the Reset Password permission for a user object, but not for a printer object.

Effective Permissions

A user can be a member of multiple groups, each with different permissions that provide different levels of access to objects. When you assign a permission to a user for access to an object, and that user is a member of a group to which you assigned a different permission, the user's effective permissions are the combination of the user and the group permissions. For example, if a user has the Read permission and is a member of a group with the Write permission, the user's effective permissions are Read and Write.

Allow and Deny Permissions

You can allow or deny permissions. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny permission for a user to gain access to an object, the user will not have that permission, even if you allow the permission for a group of which the user is a member. You should deny permissions only when it is necessary to do so for a specific user who is a member of a group with allowed permissions.

NOTE
Always ensure that all objects have at least one user with the Full Control permission. Failure to do so can result in some objects being inaccessible, even to an administrator when he or she uses the Active Directory Users and Computers tool for administrations.

Standard and Special Permissions

You can set standard and special permissions on objects. Standard permissions are the most frequently assigned permissions and are composed of special permissions. Special permissions provide you with a finer degree of control for assigning access to objects.

For example, the standard Write permission is composed of the special permissions Write All Properties, Add/Remove Self As Member, and Read Permissions.

Table 5.4 lists standard object permissions that are available for most objects (some object types have additional permissions that are available) and the type of access that each permission allows.

Table 5.4 Standard Object Permissions

Object permission Allows the user to
Full Control Change permissions and take ownership, plus perform the tasks that are allowed by all other standard permissions.
Read View objects and object attributes, the object owner, and the Active Directory permissions.
Write Change object attributes.
Create All Child Objects Add any type of child object to an OU.
Delete All Child Objects Remove any type of object from an OU.

Using Permission Inheritance

Permission inheritance in Active Directory directory services minimizes the number of times that you need to assign permissions for objects.

Applying Permissions to Child Objects

When you assign permissions, you can select to apply the permissions to subobjects (child objects), which propagates the permissions to all of the subobjects for a given object. To indicate that permissions are inherited, the check boxes for inherited permissions are unavailable in the user interface.

For example, you can assign the Full Control permission to a group for an OU that contains printers, and then apply this permission for all subobjects. The result is that all group members can administer all printers in the OU.

Preventing Permission Inheritance

You can prevent permission inheritance so that a child object does not inherit permissions from its parent object. When you prevent inheritance, only the permissions that you explicitly assign to the object will apply.

Use the Security tab in the Properties dialog box to prevent permission inheritance.

When you prevent permission inheritance, Windows 2000 allows you to do the following:

  • Copy previously inherited permissions to the object. The new explicit permissions for the object are a copy of the permissions that it previously inherited from its parent object. Then, according to your needs, you can make any necessary changes to the permissions.

  • Remove previously inherited permissions from the object. By removing these permissions, you will eliminate all permissions for the object. Then, according to your needs, you can assign any new permission for the object that you want.

Assigning Active Directory Permissions

Windows 2000 determines a user's authorization to use an object by checking the DACL for permissions granted to the user on that object. To add or change permissions for an object, you would do the following:

  1. In the Active Directory Users And Computers window, on the View menu, click Advanced Features.

  2. Right-click the object, click Properties, and then in the Properties dialog box, click the Security tab.

  3. Perform either or both of the following steps:

    • To add a new permission, click Add, click the user account or group to which you want to assign permissions, click Add, and then click OK.

    • To change an existing permission, click the user account or group.

  4. In the Permissions box, select the Allow check box or the Deny check box for each permission that you want to add or remove.

Standard permissions are sufficient for most administrative tasks. However, you might need to view the special permissions that constitute a standard permission. To view special permissions, you would do the following:

  1. On the Security tab in the Properties dialog box for the object, click the Advanced button.

  2. In the Access Control Settings dialog box, on the Permissions tab, click the entry that you want to view, and then click View/Edit.

  3. To view the permissions for specific attributes, click the Properties tab.

NOTE
Avoid assigning permissions for specific attributes of objects because this can complicate system administration—errors can result, such as objects in Active Directory directory services not being visible, which could prevent users from completing tasks.

To modify inheritance of the permission, you would do the following:

  1. On the Security tab in the Properties dialog box for the object, click the Advanced button.

  2. In the Access Control Settings dialog box, on the Permissions tab, click the entry that you want to view, and then click View/Edit.

  3. In the Apply Onto box, select the desired option from the menu.

Changing Object Ownership

Every object has an owner. The person who creates the object automatically becomes the owner. The owner controls the permissions assigned for an object and to whom permissions are assigned.

As an administrator, you can take ownership of any object and then change the permissions for the object. If a member of the Administrators group creates an object or takes ownership, the Administrators group is the owner, rather than the individual member of the group.

Ownership for an object changes when either of the following occurs:

  • The current owner, or any user with the Full Control permission, grants the Modify Owner permission to another user who takes ownership of the object.

    • For example, if an employee who owns an object leaves the company, you can let another user take ownership of that object, thereby reassigning responsibility for the object.

  • A member of the Administrators group takes ownership of any object.

NOTE
Although members of the Administrators group can take ownership of any object, members of the Administrators group cannot transfer ownership. This restriction assures accountability.

To take ownership of an object, you would do the following:

  1. In the Properties dialog box for an object, on the Security tab, click the Advanced button.

  2. Click the Owner tab, and then click your user account. (If you are a member of the Administrators group, you can also click Administrators. This will make the Administrators group the owner.)

  3. Click OK, and then click OK again to take ownership.

Delegating Administrative Control of Active Directory Objects

The structure of Active Directory directory services lends itself to more efficient management through the delegation of administrative control over objects. You can use the Delegation Of Control wizard and customized Microsoft Management Consoles to give specific users the rights to perform various administrative and management tasks, thus decreasing your workload and reflecting your business's hierarchy by placing the responsibility for network resources on the appropriate individuals.

You delegate administrative control of objects by assigning tasks at the OU level, thus allowing users or groups of users to administer the following types of control:

  • Assigning to a user the permissions to create or modify objects in a specific OU.

  • Assigning to a user the permissions to modify specific permissions for the attributes of an object, such as assigning the permission to reset passwords on a user account.

Because tracking tasks (or permission to perform specific tasks) at the OU level is easier than tracking tasks on objects or object attributes, the most common method of delegating administrative control is to assign tasks (or permission to perform specific tasks) at the OU level. Assigning tasks at the OU level allows you to delegate administrative control for the objects that are contained within the OU.

For example, you can delegate administrative control for an OU to the appropriate manager. By delegating control of the OU to the manager, you can decentralize administrative operations and issues. This reduces your administration time and costs by distributing administrative control closer to its point of service.

You can use the Delegation Of Control wizard to assign permissions at the OU level. For more specialized permissions, you must manually assign permissions at the object level.

Using the Active Directory Users and Computers tool, right-click the OU for which you want to delegate control, and then click Delegate Control to start the wizard.

Table 5.5 describes the Delegation Of Control wizard options.

Table 5.5 Delegation Of Control Wizard Options

Option Allows the user to set
Users Or Groups The user accounts or groups to which you want to delegate control
Tasks To Delegate The tasks to assign to the object or objects.

Creating Customized Administrative Tools

One of the new features in Windows 2000 is the ability to create custom administrative tools using the Microsoft Management Console (MMC). Once you have delegated administrative control of a portion of Active Directory directory services, you can create your own unique set of administrative tools and distribute them to the delegated administrators. Saved as .MSC files, these custom administrative tools can be sent by e-mail, stored in a shared folder, or posted on the Web. They can also be assigned to users, groups, or computers with Group Policy settings.

Creating Customized Consoles

You can create custom MMC consoles to meet your administrative requirements by combining snap-ins that you use to perform common administrative tasks into a single console. To open MMC with an empty console, click the Start button, click Run, type mmc in the Open box, and then click OK. Click New on the MMC Console menu, add the desired snap-ins and extensions, name the console, and then save it.

Table 5.6 describes when to use the different commands on the MMC Console menu.

Table 5.6 MMC Console Menu Commands

Use this command When
New You want to create a new custom MMC console.
Open You want to use a saved MMC console.
Save or Save As You want to use the MMC console later.
Add/Remove Snap-In You want to add or remove one or more snap-ins and their associated extensions to or from an MMC console.
Options You want to configure the console mode and create a custom MMC console.

Saving a Console in Author Mode

When you create an MMC console, you can set the mode in which it will open. To set the mode, on the Console menu, select Options. You can select Author Mode or User Mode.

When you save an MMC console in Author mode, you enable full access to all MMC functionality, which includes modifying the MMC console. By default, all new MMC consoles are saved in Author mode. You can use Author mode to do the following:

  • Add or remove snap-ins

  • Create new windows

  • View all portions of the console tree

  • Save MMC consoles

Saving a Console in User Mode

If you plan to distribute an MMC console to other administrators and you do not want them to be able to modify the MMC console, save the MMC console in User mode. When you set an MMC console to User mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC console. There are three types of User modes, which allow different levels of access and functionality.

Table 5.7 describes the three types of User modes.

Table 5.7 User Mode Types

Use this When
Full Access You want to allow users to navigate between snap-ins, open new windows, and gain access to all portions of the console tree.
Limited Access, Multiple Window You do not want to allow users to open new windows or gain access to a portion of the console tree. You do want to allow users to view multiple windows in the console.
Limited Access, Single Window You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view only one window in the console.

Practice: Delegating Control

In this practice, you will review the default security settings on Active Directory components. Then you will delegate to a user control over objects in an OU.

Exercise 1: Reviewing Active Directory Permissions

In this exercise, you will review the default security settings on Active Directory components.

NOTE
Do not change any security settings in Active Directory directory services unless you are specifically instructed to do so in this exercise. Making changes could result in losing access to portions of Active Directory directory services.

  • To create objects in Active Directory directory services

    1. Log on as Administrator.

    2. Open the Active Directory Users and Computers tool.

    3. Expand domain.com

    4. Right-click domain.com, point to New, and then click Organizational Unit.

    5. In the Name box, type Security, and then click OK.

    6. In the Security OU, create a user account with the first name Assistant and user logon name Assistant@domain.com. Assign a password of password and accept the defaults for all other options.

    7. In the same OU, create another user account with the first name Secretary and user logon name Secretary@domain.com. Assign a password of password and accept the defaults for all other options.

  • To view default Active Directory permissions for an OU

    1. On the View menu, ensure that the Advanced Features option is selected.

    2. In the console tree, right-click Security, and then click Properties.

    3. Click the Security tab.

    4. In the following table, list the groups that have permissions for the Security OU. If an account has special permissions, just record Special Permissions in the table. You will need to refer to these permissions in the next exercise.

    User account or group Assigned permissions
    Account Operators
    Administrators
    Authenticated Users
    Domain Admins
    Enterprise Admins
    Pre-Windows 2000 Aceess
    Print Operators
    System Operators

    Why are all permission check boxes for some groups blank?

    Are any of the default permissions inherited from the domain, which is the parent object? How can you tell?

    Answers

  • To view special permissions for an OU

    1. In the Security Properties dialog box, on the Security tab, click the Advanced button.

      2. The Access Control Settings For Security dialog box appears.

    2. To view the permissions for Account Operators, in the Permission Entries box, click each entry for Account Operators, and then click View/Edit.

      3. The Permission Entry For Security dialog box appears.

      What object permissions are assigned to Account Operators? What can Account Operators do in this OU?

      Do any objects within this OU inherit the permissions assigned to the Account Operators group? Why or why not?

    3. Close all open dialog boxes, and then log off.

    Answers

    Exercise 2: Delegating Control

    In this exercise, you will delegate to a user control over objects in an OU. Refer to the table you completed in the previous exercise to answer the questions below.

  • To test current permissions

    1. Log on to your domain as Assistant using a password of password.

      2. Windows 2000 displays a message that the local policy of your system does not permit you to interactively log on Assistant to your server,

    2. Log on as Administrator, add your Assistant account to the Print Operators group, log off as Administrator, and then log on as Assistant again.

    3. Open the Active Directory Users and Computers tool.

    4. In the console tree, expand your domain, and then click Security.

      5. What user objects are visible in the Security OU?

      Which permissions allow you to see these objects? (Hint: refer to your answers in the preceding exercise.)

      Attempt to change the logon hours for Secretary. Were you successful? Why or why not?

      Attempt to change the logon hours for Assistant. Were you successful? Why or why not?

    5. Close the Active Directory Users and Computers tool and log off.

    Answer

  • To use the Delegation Of Control wizard to assign Active Directory permissions

    1. Log on to your domain as Administrator with a password of password.

    2. Open the Active Directory Users and Computers tool.

    3. In the console tree, expand your domain.

    4. Right-click Security, and then click Delegate Control.

    5. In the Delegation Of Control wizard, click Next.

      6. The Delegation Of Control wizard displays the Users Or Groups page.

    6. Click Add.

    7. In the Select Users, Computers, Or Groups dialog box, click Assistant, click Add, and then click OK.

    8. Click Next.

      9. The Delegation Of Control wizard displays the Tasks To Delegate page. If you only want to delegate control for certain types of tasks, such as managing printers, you can select one or more predefined tasks.

    9. Click the Create, Delete, And Manage User Accounts option, and then click Next.

    10. Click Finish.

    11. Close the Active Directory Users And Computers window and log off.

  • To test delegated permissions

    1. Log on to your domain as Assistant, using a password of password.

    2. Open the Active Directory Users And Computers tool.

    3. In the console tree, expand your domain, and then click Security.

    4. Attempt to change the logon hours for both user accounts in the Security OU.

      5. Were you successful? Why or why not?

    5. Attempt to change the logon hours for a user account in the Users container.

      6. Were you successful? Why or why not?

    6. Close the Active Directory Users And Computers window and log off.

    Answers

    Lesson Summary

    Active Directory permissions provide security for resources by allowing you to control who can gain access to individual objects or object attributes, and the type of access that you will allow. Windows 2000 stores a list of user access permissions, called the discretionary access control list (DACL), for every object in Active Directory directory services. The DACL for an object lists who can access the object and the specific actions that each user can perform on the object.

    You can allow or deny permissions. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny permission for a user to gain access to an object, the user will not have that permission, even if you allow the permission for a group of which the user is a member. You should deny permissions only when it is necessary to do so for a specific user who is a member of a group with allowed permissions.

    When you assign permissions, you can select to apply the permissions to subobjects (child objects), which propagates the permissions to all of the subobjects for a given object. To indicate that permissions are inherited, the check boxes for inherited permissions are dimmed in the user interface. You can prevent permission inheritance so that a child object does not inherit permissions from its parent object. When you prevent inheritance, only the permissions that you explicitly assign to the object will apply.