Permission to Proceed? Handling Directory Permissions

team lib

The old concept "you're the administrator, administrate no longer" does have some truth to it in Windows Server 2003. Although some tasks still require a full-fledged domain administrator, the common management of a domain may be more easily accomplished when you grant different sets of users permissions to manage different sets of users and user properties. In English, this means you can delegate the responsibility for managing low-level users to slightly higher-level users, and so on, until you, as the administrator, only need to get involved to manage more weighty constructs, such as domain forests and trees or intra-site access.

About Active Directory permissions

If you're familiar with the Windows NT security model, you probably know all about Access Control Lists (ACLs). ACLs allow a set of permissions to be applied to a file, directory, share, or printer (and more), thus controlling which users can access and modify these particular objects.

Windows Server 2003 takes this to the next level by assigning an ACL to every single attribute of every single object. This means you can control user access to such a fine degree that you can micromanage your users into the nearest insane asylum . You could insist, for example, that "User group Personnel Admin may change the address, phone number, and e-mail attributes of all users but nothing else."

Assigning permissions

You can assign permissions to Active Directory objects in a number of ways. Here, we show an extreme case, so that everything else will look like a piece of cake!

Remember Active Directory Users and Computers? Well, earlier in this chapter, in "The directory management console," you saw a nice, basic view of this utility. However, it has other options that are shown only when it's in Advanced Features mode. To turn on Advanced Features, start Active Directory Users and Computers (Start Administrative Tools Active Directory Users and Computers), and then choose View Advanced Features.

Some new branches are added to the basic domain root: LostAndFound and System. We don't care about that, though. Instead, we're interested in the new tab added to the objects - the Security tab.

In Active Directory Users and Computers, find a user, any user. right-click the user and then select Properties. In the user's Properties dialog box, click the Security tab, and then click the Advanced button. You see a list of permission entries that consists of a type (Allow/Deny), a user or group, and the permission and its scope (Figure 12-6). Notice the size of that scroll bar. Ouch!

click to expand
Figure 12-6: The Advanced Security Settings dialog box for an object used to control user access.

Obviously, assigning permissions explicitly to every object takes forever. Thankfully, Active Directory uses an inheritance model so that you need to make changes only at the root; the changes propagate down from there. The following section spells out how this works.

Permissions inheritance

There are two types of permissions: explicit and inherited. Explicit permissions are assigned directly to an object, and inherited permissions are propagated to an object from its parent (and so on). By default, any object in a container inherits permissions from its container.

Sometimes, you don't want permissions to be inherited. For example, when you're working with a directory structure in which different permissions are defined on each contained object, such as with a multiuser File Transfer Protocol (FTP) site or a shared folder that contains user home directories. The default setting in Active Directory specifies that permissions are inherited, but you can change this default behavior.

Remember the Advanced Features view for Active Directory Users and Computers? Well, you need it again. When you turn on the Advanced Features from the View menu and check out the advanced security properties of a user (right-click the user, choose Properties, click the Security tab, and then click the Advanced button), notice the small box that says "Allow inheritable permissions from parent to propagate to this object and all child objects." This box was easy to miss , wasn't it?

The Allow Inheritable Permissions from Parent to Propagate to This Object and All Child Objects box is checked by default. If you uncheck it, any changes made to the parent container no longer propagate to the objects it contains. You have disabled inheritance for the object.

If you do disable inheritance, you're given the following options:

  • Copy previously inherited permissions to this object

  • Remove inherited permissions

  • Cancel (disable) the inheritance

Of course, you can enable this later if you want. It's not a one-way operation, so don't panic!

Delegating administrative control

Delegating administration over certain elements of your domain is one of the great things about Active Directory - no more administrator or nonadministrator. Different people or groups can be delegated control over certain aspects of a domain's organizational unit. The following steps can be employed to delegate administration on objects:

  1. right-click a container (an organizational unit or domain) in Active Directory Users and Computers, and choose Delegate Control.

    The Delegation of Control Wizard starts up and the welcome screen is displayed.

  2. Click Next to start delegating!

  3. Select the group of users to whom you want to delegate control.

    This is accomplished by clicking the Add button to access the Active Directory search tool to locate users and groups. Make your selections (hold down Ctrl to select multiple users at the same time).

    The users are now displayed in the selected user's area. The people you have selected are the ones who can perform the tasks you're about to choose.

  4. Click Next.

    A list of common tasks is displayed for which you can delegate control (reset passwords and modify group membership, for example).

  5. Make your selections, and then click Next. If you choose to create a custom task to delegate, follow the steps presented by the Wizard.

    A summary screen is displayed (as shown in Figure 12-7), giving you the option to change your mind.

    click to expand
    Figure 12-7: The summary screen of the Delegation of Control wizard.

  6. When you're happy with the changes you have made, click Finish.

That's it; a few mouse clicks and you've delegated control of a container to a specific person or groups of people.

team lib


Windows Server 2003 for Dummies
Windows Server 2003 for Dummies
ISBN: 0764516337
EAN: 2147483647
Year: 2003
Pages: 195

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net