When a user logs in to a Windows Server 2003 domain, the user account is authenticated; it is checked to make sure that the user has an account in the domain, and that the user is actually who he or she claims to be. This initial authentication process results only in the user gaining access to the network; there still has to be a mechanism in place to determine what access the user has to objects in Active Directory. Security DescriptorsEvery Active Directory object has a security descriptor attached to it that describes the type of access allowed by specific entities. The security descriptor is automatically created with the object. These security descriptors are what Windows Server 2003 uses to control access to Active Directory objects. This method of access control is an example of an object-based security model. Security descriptors are structures that are made up of four components:
Some Active Directory objects will have an ACL that controls the entire object and will also have individual ACLs that control access to individual attributes of the object. This allows an administrator to control not only which users can see an object, but also what attributes of that object each individual user can see. An example of this is an employee list. All users would have read access to the standard fields, such as name, location, telephone numbers, and so on, but the owner of the object would have full control for all the attributes in the listing, including some attributes that ordinary users would not know exist, such as salary history, employee rating, and the like. Access control could also be configured so that individual users could also update the common attributes of their own object. PermissionsAs you can see, access control in Active Directory can be controlled at a granular level. The access to objects is controlled by permissions. Permissions are what define the type of access that is granted to a user for an object or attribute. The owner of an object can grant any user or security group permission to do to the object whatever the owner is authorized to do with it. Different types of objects will have different permissions, depending on the function of the object. For example, you wouldn't assign read permission to a printer. The basic security model in Windows Server 2003 is similar to the one used in previous versions of Windows. In Windows Server 2003, you are allowed to allow or deny various levels of permissions for objects. All permissions are cumulative. This means that if a user is a member of two groups, one with read permission to an object and the other group with write permission, that user would have both read and write permission for the object. Permissions can be allowed or denied. Similar to previous versions of Windows where No Access always overrides any other permissions, in Windows Server 2003 the Deny permission overrides any other permission that is granted to the object. An example is the situation where a user is a member of three groups, all of which have read access to a folder. If that user becomes a member of another group that has been denied any access to that folder, the single denied permission will override several allowed permissions, so the user will no longer have any access to the folder. Although Active Directory permissions seem to be the same as the New Technology File System (NTFS) permissions that we discussed in previous chapters, there are some differences, especially in the area of implicit and explicit permissions. For example, if you deny a user access to an object, you have explicitly denied access to that object. However if you neither grant nor deny a user access to an object, by default, access is implicitly denied. In Active Directory, a user will have access to an object only if it is explicitly permitted. Active Directory objects in Windows Server 2003 use two types of permissions: Standard and Special. The Standard permissions are the same as in previous versions of Windows:
Special permissions are the components of the standard permissions. All the individual permissions that make up the write permission, such as list, read, write all properties, and so on are available separately as Special permissions. This permits a very granular level of access to an object. Assigning Permissions to Active Directory ObjectsIn Windows Server 2003, the permissions for objects and their attributes are configured using the Active Directory Users and Computers snap-in. All permissions for objects are configured from the Properties window of the object, via the Security tab. However, the default in Windows Server 2003 is for the Security tab to not be displayed. To be able to see the Security tab, follow the procedure in Step by Step 8.1.
Figure 8.1. Enabling Advanced Features in the Active Directory Users and Computers MMC allows you to view additional options.
After you do this, notice that it also causes several new containers to appear: ForeignSecurityPrincipals, Lost and Found, and System and NTDS Quotas. Now that you have selected Advanced Features and turned on access to the Security tab, let's look at some of the settings that allow you to control access to Active Directory objects. We will start by going to one of the OU containers and selecting a user, and then changing the access that has been granted to the user. In Step by Step 8.2, we will modify the permissions on one of the objects that we created in the exercises in Chapter 2.
In most cases, the standard permissions will be sufficient for most object access. However, in some situations, granting one of the standard access permissions will give users more access than you think they should have. In that situation, you can assign a user Special Permissions. Special permissions are the component parts of standard permissions. They are far more granular than standard permissions. In Step by Step 8.3, we will grant a user the ability to read the Department field of user objects instead of granting the full standard permission to read most fields of the object.
As mentioned earlier, the network administrator has granular control over Active Directory objects. However, it can easily become a management nightmare trying to keep up with and document the changes to specific attributes of unique objects. To help manage these types of changes, the network administrator should turn on auditing of permissions changes. We cover auditing in Chapter 16. Permissions InheritanceTo help simplify the management of permissions in Active Directory, Microsoft has used a method called Permissions Inheritance. This allows you to set access permissions on a parent object, and then allow the permissions to be automatically propagated to the child objects. In Windows Server 2003, when the access permissions on a container are changed, the changes are inherited by both existing objects and any newly created objects within that container. The default for Windows Server 2003 is for Permissions Inheritance to be turned on, but it can be turned off at the object or container level by de-selecting a check box on the Properties window of the object or container (see Figure 8.7). Figure 8.7. Permissions Inheritance can be turned on or off via the check box.When you deselect the check box, you will be presented with the following options:
Moving AD ObjectsObjects can be easily moved between OUs in Active Directory. This type of task is commonly performed when a user gets transferred to a new department or location or when two departments merge and their resources such as computers and printers have to be combined into one OU. To move a user or other object to another OU, follow the procedure in Step by Step 8.4.
Note: Drag and Drop Starting in Windows Server 2003, you can use drag and drop to move objects in Active Directory. This procedure is identical for users, groups, computers, and shared folders. There are a couple of conditions relating to permissions that you need to be aware of when moving Active Directory objects:
Note: Dsmove To move or rename objects from the command line, use the dsmove utility. This utility is discussed in Chapter 2 in the section "Moving or Renaming Objects with dsmove." The Active Directory Users and Computers snap-in cannot be used to move users between domains. For interdomain moves, use the Active Directory Migration Tool (ADMT). The ADMT is used to move objects from one domain to another. The ADMT is located in the \I386\ADMT folder of the Windows Server 2003 Server CD-ROM. Effective PermissionsWith all the permissions and special permissions in Active directory, it can get confusing trying to figure out who has access to what, and exactly what access they have. Windows Server 2003 includes the Effective Permissions tool. This tool automatically looks at a user's permissions and the permissions of the groups of which the user is a member to calculate the effective permissions for an object in Active Directory. To determine the Effective Permission on an object, the user using the tool must have the Read Membership permission on all objects in Active Directory. In a Windows Server 2003 domain running in pre-Windows 2000 access compatibility mode, all domain users have this permission by default. If the domain is running in Windows Server 2003 mode, only the domain administrators will have the necessary permissions. Exam Alert: Permissions for Effective Permissions During the Dcpromo process, you are prompted as to whether you want to set permissions compatible with pre-Windows 2000 server operating systems. This selection adds the Everyone group to the Pre-Windows 2000 Compatible Access group, and thereby grants the Everyone group read access to most Active Directory objects. If you do not select this option, the Pre-Windows 2000 Compatible Access group is created, but it is empty. In this case, only domain administrators can use the Effective Permissions tool for Active Directory objects. To view the effective permissions for an object, follow the procedure outlined in Step by Step 8.5.
Note: More Info For more information on Effective Permissions (also know as the TGGAU attribute), consult the Microsoft Knowledge Base at http://support.microsoft.com/kb/331951. Remember: When assigning permissions, even though Windows Server 2003 gives you the capability to configure permissions at a granular level, use this capability only when absolutely necessary. As we discussed previously, when you're working with users and groups, it is far easier to manage permissions when they are assigned at a group level. This allows you to add or remove members of the group, instead of having to try to configure each user the same way. The same philosophy applies to configuring permissions on individual attributes of objects. Whenever possible, control access to the individual attributes of objects at the container level so that you have to perform the configuration only once. Another advantage of configuring permissions changes at the group or container level is that it can be done using the Delegation of Control Wizard. This wizard makes it very easy to make permissions changes to Active Directory objects and containers. We will be looking at this wizard in the next section.
|