ServersLearn AD in 15 Minutes a Week: Delegation of Authority - Assigning...

Learn AD in 15 Minutes a Week: Delegation of Authority – Assigning Object Permissions Page 3





Setting
Permission Levels

You can
allow or deny permissions for every object in Active
Directory.

Denied
permissions take precedence over any other level of
permission that is otherwise set for a user or group, even
full control. If a specific user is denied access and is
allowed full control from six other groups that user belongs
to, they will still be denied access. If a specific group is
denied access but all of those members are explicitly given
full control to their specific user accounts and through two
other group memberships, they will still be denied.


[NOTES FROM THE FIELD] – As with all things
Microsoft, there is an exception to this rule. An explicit
Allow permission on an object takes precedence over an
inherited Deny permission. That is, if you are denied access
to something through inheritance and an administrator grants
you a specific permission directly to a given object that
received its original permissions through inheritance, be it
deny or an original lesser setting, that specific setting on
the object takes precedence, even in the case of overriding
an inherited deny.

This
would also be the case at a lesser extreme as well. An
explicit Write setting trumps an inherited Read permission.

When
permission to perform an operation is not explicitly
assigned, it is implicitly denied. What this means is that
if you are not intentionally given any permissions to an
object, you are denied access to it by the fact that you
have not been assigned any access in the first place.

When
permission to perform an operation is implicitly assigned,
it can be explicitly denied. What this means is that if
permissions are set via inheritance or through group
membership, it can still be set to deny at a local object. If
a specific user is gaining access to an object through
inheritance, you can set a local deny for that user on the
object itself. If a specific user is gaining access to an
object through group membership and you want that group but
not that given user to have the access, you can deny the
user access locally at the object.

There are
two different types of permissions that can be set, Standard
Permissions and Special Permissions.

Standard
Permissions are the ones that can be set on the main
property sheet of an object through the Security tab.

Full
Control
allows for a change in permissions and the ability to take ownership and
perform the tasks that are allowed by all other standard
permissions.

Read allows
for the viewing of objects and object attributes, the object
owner, and the Active Directory permissions.

Write
allows for the ability to change attributes of an object.

Create All
Child Objects
allows for the addition of any type of child
object in Active Directory.

Delete All
Child Objects
allows for the removal of any type of child
object in Active Directory.

While it is
possible to assign permissions directly to users, best
practices dictate that Administrators should only assign
permissions to groups for the easiest administration.

Well, that wraps up this section
of Learn Active Directory Design and Administration in 15
Minutes a Week covering the Windows 2000 Active Directory
Delegation of Authority – Assigning Permissions. I hope
you found it informative and will return for the next
installment.

If you have any questions, comments or
even constructive criticism, please feel free to drop me a
note.

I want to write good, solid technical
articles that appeal to a large range of readers and skill
levels and I can only be sure of that through your feedback.

Until then, best of luck in your
studies and remember,

“I still
yet have to figure out why there are 5 syllables in the word
“monosyllabic”?”

Jason Zandri
[email protected]



www.2000trainers.com

Latest Posts

Related Stories