But What about Access Control with Active Directory Objects?

Previous page
Table of content
Next page
team lib

We've talked about objects and access control, but with Active Directory, you need to be aware of two additional features: delegated access control and property-based inheritance. The following describes these two features in general; turn to Chapter 12 for the gory details.

Delegation of access control

You can enable others to manage portions of your network for you - otherwise , you'd be working 24/7! You can slice up the management by way of the domain, or you can give someone else rights to manage the organizational unit for you, depending on the functions you want them to perform. This is accomplished through the Delegate Administration Wizard, which is in the Active Directory Users and Computers snap-in. (Choose Start Administrative Tools Active Directory Users and Computers, click a domain, and then choose Delegate Control from the Action menu.)

REMEMBER 

An organizational unit is an Active Directory container that holds other organizational units, computers, users, and groups. For more information on organizational units, see Chapter 11.

Warning 

Before you can give others access to manage Active Directory objects, you must first have the proper permissions to delegate that object authority. In addition, you must give the proper permissions to others to manage that object. For more information on this, see Chapter 12.

Property-based inheritance

Just as you might inherit money from a relative, the lower levels of your network structure can inherit access control information set at a higher level of the structure. Inheritance, as its name suggests, always flows in a downward direction. We want to touch briefly on two methods of property-based inheritance. (For more information and detail on how this inheritance works, see Chapter 12.)

The first method is called dynamic inheritance. As the word dynamic suggests, the access control information for this type of inheritance is calculated on the fly every time a read/write to the object is requested . This results in some performance overhead (such as extra traffic) that should be considered on a busy network. (Extra traffic on a busy network can slow things down significantly.)

The second method is called the static model , also referred to as Create Time Inheritance . This means that the access control information for an object is set when the object is created by looking at the parent object permissions and combining those permissions with the new object permissions. Unless the new permissions are set at a higher level, the access control does not change for the object. Therefore, when a request is made to read or write to the object, no recalculation is necessary to determine the permissions. However, if permissions are changed at a higher level, these changes are propagated downward to change permissions or reset combined permissions at lower levels - similar to dominoes toppling over. The only time there's a recalculation is when the permissions at higher levels are set and the propagation is in progress.

team lib

Previous page
Table of content
Next page
Windows Server 2003 for Dummies
Windows Server 2003 for Dummies
ISBN: 0764516337
EAN: 2147483647
Year: 2003
Pages: 195
Authors: Ed Tittel, James Michael Stewart
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy