70-240 in 15 minutes a week: Delegation of Administrative Control and Working with Group Policy

By ServerWatch Staff (Send Email)
Posted Jun 11, 2001


by Dan DiNicolo
http://www.win2000trainer.com

Welcome to article number 16 in my 70-240 in 15 minutes a week series. This week's article covers Delegation of Administrative Control under Active Directory, as well as part 1 of Implementing Group Policy. This includes a look at ACLs, object ownership and inheritance, as well as group policy object creation and application. This article again falls into the Active Directory portion of the series. Next week I'll continue with the second part of the group policy discussion, as well as a look at software management, and multiple tree forests and external trusts.

The material to be covered in the article includes:

- Active Directory object security overview
- Object permissions and ACLs
- Object ownership and inheritance
- Creating and customizing administrative tools
- Group Policy overview 


Active Directory Object Security Overview

A great way to begin looking at object security in the Active Directory environment is with an overview of the different security elements that you must be familiar with. Many of the concepts covered here were first introduced in earlier articles, though with much less detail. 

The first thing you'll need to remember when taking a look at object security is the concept of a security principal. In most simple terms, a security principal is an account type to which permissions can be assigned. This includes users, security groups, or computer accounts, which are characterized by the fact that they have a security identifier (SID) assigned to them. Every security principal is assigned a SID, made up of a domain identifier (also referred to as a SID), and a relative identifier (RID), the combination of which uniquely identifies the principal. 

Welcome to Article 16 in Dan DiNicolo's 70-240 in 15 minutes a week series. This week's article covers Delegation of Administrative Control under Active Directory, as well as part 1 of Implementing Group Policy. This includes a look at ACLs, object ownership and inheritance, and group policy object creation and application.

When a user attempts to access a resource (such as another object in Active Directory) the applicable SIDs (for the user, groups he/she is a part of, and the associated computer account) are compared to the object's access control list (ACL). The ACL lists who can access the object and to what extent, as shown below for the win2000trainer.com domain object:

ACLs for Active Directory objects (such as users, groups, computers, etc) are very similar to those you might already be familiar with, such as those associated with NTFS permission assignment. Note, however, that the actual permissions found in the list (called access control entries, or ACEs) can be very different depending on the object type. 

There are two types of ACL that you should be aware of - discretionary access control lists (DALCs) and system access control lists (SACLs). A DACL is the list of permissions that security principals have on an object (as shown in the previous screen shot), while a SACL is the list of entries set up for auditing purposes on an object, as shown below:

You should also be aware of the concept of an access token. The access token contains the user and group SIDs, and is created when a user logs on to the domain. This token is subsequently compared to ACLs whenever a user attempts to access a network resource. The token is created with information provided by the domain controller that authenticates the user (user SID as well as SIDs for domain local and global group membership) as well as a global catalog server (which provides universal group SIDs).

Page 1 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.