dcsimg

Learn AD in 15 Minutes a Week: AD Delegation of Authority - Permission Settings and Inheritance

By ServerWatch Staff (Send Email)
Posted Aug 28, 2002


by Jason Zandriwww.2000trainers.com

Welcome to the 13th installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This installment is going to cover the Windows 2000 Active Directory Delegation of Authority - Permission Settings and Inheritance, with a specific focus on controlling Permission Inheritance to Active Directory objects and setting permissions to Active Directory objects.


Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week series reviews the Windows 2000 Active Directory Delegation of Authority, with a specific focus on controlling Permission Inheritance to Active Directory objects and setting permissions for Active Directory objects.

Controlling Permission Inheritance

Active Directory object permission inheritance automatically causes objects in a container to inherit the permissions of that container or that of the parent container(s).

Permission inheritance is enabled by default to help minimize administration by limiting the number of times you need to assign specific permissions for all Active Directory objects.

When new Active Directory objects are created, they inherit permissions that exist in the parent container at the time of their creation.

The design of permission inheritance is such that the permissions apply downward in the hierarchy to the objects child objects once they are created. If you create an Organizational Unit named Sales and allow the Saleslead group to have the Full Control permission assigned to the Sales OU, once the three child OUs of Users and Desktops and Laptops are created they will inherit the same permission settings, and the Saleslead group will also have the Full Control permission to those objects as well.

[NOTES FROM THE FIELD] - Domain and Enterprise Administrators have the right to allow or deny permissions for every object in Active Directory, in addition to any other owners that may own the objects.

You can prevent the inheritance of permissions when you need to set a different level of security access to a child container than that of the parent container. Usually this is done when you need more restrictive control over a child container than a parent, but it can also be the case of where the child container needs to have special permissions applied.

In order to block inheritance, you need to remove the checkmark from the "Allow inheritable permissions from parent to propagate to this object" checkbox. You will then be prompted to either Copy the currently inherited permissions locally, so that the object will still have the locally set level of permissions that they had through inheritance, or you can remove all permissions by selecting Remove.  



You would normally copy the settings locally and adjust them to the finer degree that you require, but there are cases where you might remove them all and start from scratch in order to better guarantee that the object is as secure as you require.

[NOTES FROM THE FIELD] - If you remove all permissions and then do not assign any locally, and then close out the dialog box, you will receive a warning that you have denied everyone access to the object and that no one will be able to access it, and only the object owner will be able to change permissions if you select Yes to continue.

Page 1 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.