Learn AD in 15 Minutes a Week: AD Delegation of Authority - Permission Settings and Inheritance
Digg
DZone
Reddit
Slashdot
StumbleUpon
del.icio.us
Facebook
FriendFeed
Furl
by Jason Zandriwww.2000trainers.com
Welcome to the 13th installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This
installment is going to cover the Windows 2000 Active
Directory Delegation of Authority - Permission Settings and
Inheritance, with a specific focus on controlling Permission Inheritance to Active
Directory objects and setting permissions to Active
Directory objects.
Controlling Permission Inheritance Active
Directory object permission inheritance automatically causes
objects in a container to inherit the permissions of that
container or that of the parent container(s). Permission
inheritance is enabled by default to help minimize
administration by limiting the
number of times you need to assign specific permissions for
all Active Directory objects. When new
Active Directory objects are created, they inherit
permissions that exist in the parent container at the time
of their creation. The design
of permission inheritance is such that the permissions apply
downward in the hierarchy to the objects child objects once
they are created. If you create an Organizational Unit named
Sales and allow the Saleslead group to have the Full Control
permission assigned to the Sales OU, once the three child OUs of
Users and Desktops and Laptops are created they will inherit
the same permission settings, and the Saleslead group will
also have the Full Control permission to those objects as
well. [NOTES
FROM THE FIELD] - Domain and Enterprise
Administrators have the right to allow or deny permissions
for every object in Active Directory, in addition to any
other owners that may own the objects. You can
prevent the inheritance of permissions when you need to set a
different level of security access to a child container than
that of the parent container. Usually this is done when you need
more restrictive control over a child container than a
parent, but it can also be the case of where the child
container needs to have special permissions applied. In order to block inheritance, you need
to remove the checkmark from the "Allow inheritable
permissions from parent to propagate to this object"
checkbox. You will then be prompted to either Copy
the currently inherited permissions locally, so that the
object will still have the locally set level of permissions
that they had through inheritance, or you can remove all
permissions by selecting Remove.
Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week series reviews the Windows 2000 Active Directory Delegation of Authority, with a specific focus on controlling Permission Inheritance to Active Directory objects and setting permissions for Active Directory objects.
You would normally copy the settings locally and adjust them to the finer degree that you require, but there are cases where you might remove them all and start from scratch in order to better guarantee that the object is as secure as you require.
[NOTES FROM THE FIELD] - If you remove all permissions and then do not assign any locally, and then close out the dialog box, you will receive a warning that you have denied everyone access to the object and that no one will be able to access it, and only the object owner will be able to change permissions if you select Yes to continue.
