by Jason Zandri
www.2000trainers.com
Welcome to the 12th installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This
installment is going to review the Windows 2000 Active
Directory Delegation of Authority – Assigning Permissions,
which is going to specifically cover Assigning Permissions to Active
Directory Objects.
Jason Zandri’s latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week series reviews the Windows 2000 Active Directory Delegation of Authority – Assigning Permissions, with a specific focus on Assigning Permissions to Active Directory Objects.
By
delegating control of the day to day administration at the
organizational unit level in your domains throughout your
Windows 2000 Forest to other responsible domain members and
junior administrators, you allow for decentralized
administrative operations closer to the worker level, and you allow
for more seasoned Administrators to concentrate on
Enterprise wide services and issues.
You can use permissions to grant administrative control to a specific
user or groups of users so that they can administer a
single organizational unit or an entire hierarchy of
organizational units, depending on your needs and the detail
of delegation your Enterprise requires.
You can
allow or deny permissions for every object in Active
Directory as long as you are the owner of that object.
Permissions can be set both implicitly or explicitly, and
they can be allowed or denied and can be set as standard
permissions or as special permissions.
[NOTES
FROM THE FIELD] – Domain and Enterprise
Administrators have the rights to allow or deny permissions
for every object in Active Directory, in addition to any
other owners that may own the objects.
The
permissions on all Active Directory objects are stored in
that object’s DACL (Discretionary Access Control List). Each
individual permission that is set, both allow and deny, is
contained in an ACE (Access Control Entry).
[NOTES
FROM THE FIELD] – In order to view the Security tab
of an object and/or to see other advanced views in the
Active Directory Users and Computers MMC, you need to select
VIEW and then choose Advanced Features.