Learn AD in 15 Minutes a Week: Delegation of Authority - Assigning Object Permissions Page 2
Digg
DZone
Reddit
Slashdot
StumbleUpon
del.icio.us
Facebook
FriendFeed
Furl
Use the
DACL on the shared physical resource to control access to
that shared physical resource. For example, with a shared
folder, use the DACL to control who is allowed to read the
data and who can write to the data. With an
Active Directory object you can control who has full control
of the object, who can read it or write to its properties,
who can create child objects (leaf objects excluded), etc. Below is
the Security property sheet for the Software Organizational
Unit.
Use the DACL on the object published in Active Directory to
control who can view or change the properties of the
published object. Users require Read
permission on the DACL of a published object to view the
published object or to have the object appear in the
results list when searching for a published resource.
If a user has Read access to the Active Directory object and
can see it in the directory (or in the results list of a
search), and they have no access permissions set in the DACL
(or Access denied) of the physical resource, they will not
be able to access it via the Active Directory object, nor
locally at the physical resource.
[NOTES FROM THE FIELD] -
In general, when setting up access to either Active Directory
Objects or to files and folders, you
want to use both global and domain local groups to allow
users access to resources and to assign permission levels of
access to those resources.
You want to add user accounts (A) into global groups (G),
then add global groups into domain local groups (DL), and
then grant published object or resource permissions (P) to
the domain local groups. This is referred to as A G DL P,
and it provides the most flexibility and the best tracking
for administrative purposes of granting access permissions
to network resources.
This method and design is available in both mixed and native
domain modes.
In a pure native mode environment you can use the A G U DL P
design.
In a native mode, multiple domain forest you put user
accounts (A) into global groups (G) and add the global
groups to universal groups (U), put the universal groups
into domain local groups (DL), and then grant permissions
(P) to the domain local group.
