|< Day Day Up >|| |
Files and folders, shared folders, printers, services, Active Directory objects, Terminal Services connections, Windows Management Interface objects, and registry keys and values have similar but not identical authorization methods.
An access control list (ACL) defines who can access an object and what actions the users can take with the object. An ACL consists of multiple access control entries (ACEs). An ACE defines how a specific user or group is allowed to access an object.
Explicit permissions are assigned directly to an object, whereas inherited permissions propagate to an object from its parent object. Using inherited permissions greatly simplifies managing permissions.
You can use groups to efficiently manage access to domain resources, which helps simplify administration. There are two types of groups in Active Directory: distribution groups and security groups.
Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The group scope determines whether the group spans multiple domains or is limited to a single domain. Windows Server 2003 supports the following group scopes:
Depending on the functional level, certain features are enabled or disabled in Active Directory. The default domain functional level is Windows 2000 mixed. When you raise the domain functional level to Windows 2000 native, Windows Server 2003 interim, or Windows Server 2003, the applicable features for that domain are enabled.
When using the User/Access control method, you add the user account that needs access to a resource directly to the ACL of the resource. When using the Account Group/Resource Group method, you add users with similar access requirements into account groups, and then add account groups as members to a resource group that has been granted specific resource access permissions.
By delegating security group maintenance to the appropriate individuals, you can ensure that requests for changes in membership are evaluated by individuals who can judge the appropriateness of the requests, who have the authority to make the changes, and who are motivated to keep group membership and access permissions correct and up-to-date.
To troubleshoot authorization problems, start by identifying the objects that are required by the user. Auditing can be used to identify which objects the user is being denied access to. After auditing is enabled, Windows Server 2003 will add events to the event log describing the resource with insufficient privileges.
|< Day Day Up >|| |