Learn AD in 15 Minutes a Week: Delegation of Authority - Assigning Object Permissions

Learn AD in 15 Minutes a Week: Delegation of Authority - Assigning Object Permissions


July 31, 2002

by Jason Zandri
www.2000trainers.com

Welcome to the 12th installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This installment is going to review the Windows 2000 Active Directory Delegation of Authority - Assigning Permissions, which is going to specifically cover Assigning Permissions to Active Directory Objects.


Assigning Object Permissions

By delegating control of the day to day administration at the organizational unit level in your domains throughout your Windows 2000 Forest to other responsible domain members and junior administrators, you allow for decentralized administrative operations closer to the worker level, and you allow for more seasoned Administrators to concentrate on Enterprise wide services and issues.

You can use permissions to grant administrative control to a specific user or groups of users so that they can administer a single organizational unit or an entire hierarchy of organizational units, depending on your needs and the detail of delegation your Enterprise requires.

You can allow or deny permissions for every object in Active Directory as long as you are the owner of that object. Permissions can be set both implicitly or explicitly, and they can be allowed or denied and can be set as standard permissions or as special permissions.

[NOTES FROM THE FIELD] - Domain and Enterprise Administrators have the rights to allow or deny permissions for every object in Active Directory, in addition to any other owners that may own the objects.

The permissions on all Active Directory objects are stored in that object's DACL (Discretionary Access Control List). Each individual permission that is set, both allow and deny, is contained in an ACE (Access Control Entry).

[NOTES FROM THE FIELD] - In order to view the Security tab of an object and/or to see other advanced views in the Active Directory Users and Computers MMC, you need to select VIEW and then choose Advanced Features.



Use the DACL on the shared physical resource to control access to that shared physical resource. For example, with a shared folder, use the DACL to control who is allowed to read the data and who can write to the data.

With an Active Directory object you can control who has full control of the object, who can read it or write to its properties, who can create child objects (leaf objects excluded), etc.

Use the DACL on the object published in Active Directory to control who can view or change the properties of the published object. Users require Read permission on the DACL of a published object to view the published object or to have the object appear in the results list when searching for a published resource.

If a user has Read access to the Active Directory object and can see it in the directory (or in the results list of a search), and they have no access permissions set in the DACL (or Access denied) of the physical resource, they will not be able to access it via the Active Directory object, nor locally at the physical resource.

Below is the Security property sheet for the Software Organizational Unit.





[NOTES FROM THE FIELD] -
In general, when setting up access to either Active Directory Objects or to files and folders, you want to use both global and domain local groups to allow users access to resources and to assign permission levels of access to those resources.

You want to add user accounts (A) into global groups (G), then add global groups into domain local groups (DL), and then grant published object or resource permissions (P) to the domain local groups. This is referred to as A G DL P, and it provides the most flexibility and the best tracking for administrative purposes of granting access permissions to network resources.

This method and design is available in both mixed and native domain modes.

In a pure native mode environment you can use the A G U DL P design.

In a native mode, multiple domain forest you put user accounts (A) into global groups (G) and add the global groups to universal groups (U), put the universal groups into domain local groups (DL), and then grant permissions (P) to the domain local group.


Setting Permission Levels

You can allow or deny permissions for every object in Active Directory.

Denied permissions take precedence over any other level of permission that is otherwise set for a user or group, even full control. If a specific user is denied access and is allowed full control from six other groups that user belongs to, they will still be denied access. If a specific group is denied access but all of those members are explicitly given full control to their specific user accounts and through two other group memberships, they will still be denied.

[NOTES FROM THE FIELD] - As with all things Microsoft, there is an exception to this rule. An explicit Allow permission on an object takes precedence over an inherited Deny permission. That is, if you are denied access to something through inheritance and an administrator grants you a specific permission directly to a given object that received its original permissions through inheritance, be it deny or an original lesser setting, that specific setting on the object takes precedence, even in the case of overriding an inherited deny.

This would also be the case at a lesser extreme as well. An explicit Write setting trumps an inherited Read permission.

When permission to perform an operation is not explicitly assigned, it is implicitly denied. What this means is that if you are not intentionally given any permissions to an object, you are denied access to it by the fact that you have not been assigned any access in the first place.

When permission to perform an operation is implicitly assigned, it can be explicitly denied. What this means is that if permissions are set via inheritance or through group membership, it can still be set to deny at a local object. If a specific user is gaining access to an object through inheritance, you can set a local deny for that user on the object itself. If a specific user is gaining access to an object through group membership and you want that group but not that given user to have the access, you can deny the user access locally at the object.

There are two different types of permissions that can be set, Standard Permissions and Special Permissions.

Standard Permissions are the ones that can be set on the main property sheet of an object through the Security tab.

Full Control allows for a change in permissions and the ability to take ownership and perform the tasks that are allowed by all other standard permissions.

Read allows for the viewing of objects and object attributes, the object owner, and the Active Directory permissions.

Write allows for the ability to change attributes of an object.

Create All Child Objects allows for the addition of any type of child object in Active Directory.

Delete All Child Objects allows for the removal of any type of child object in Active Directory.

While it is possible to assign permissions directly to users, best practices dictate that Administrators should only assign permissions to groups for the easiest administration.


Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week covering the Windows 2000 Active Directory Delegation of Authority - Assigning Permissions. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies and remember,


"I still yet have to figure out why there are 5 syllables in the word "monosyllabic"?"


Jason Zandri
Jason@Zandri.net

www.2000trainers.com