Learn AD in 15 Minutes a Week: Delegation of Authority - Assigning Object Permissions Page 2

Use the DACL on the shared physical resource to control access to that shared physical resource. For example, with a shared folder, use the DACL to control who is allowed to read the data and who can write to the data.

With an Active Directory object you can control who has full control of the object, who can read it or write to its properties, who can create child objects (leaf objects excluded), etc.

Use the DACL on the object published in Active Directory to control who can view or change the properties of the published object. Users require Read permission on the DACL of a published object to view the published object or to have the object appear in the results list when searching for a published resource.

If a user has Read access to the Active Directory object and can see it in the directory (or in the results list of a search), and they have no access permissions set in the DACL (or Access denied) of the physical resource, they will not be able to access it via the Active Directory object, nor locally at the physical resource.

Below is the Security property sheet for the Software Organizational Unit.

In general, when setting up access to either Active Directory Objects or to files and folders, you want to use both global and domain local groups to allow users access to resources and to assign permission levels of access to those resources.

You want to add user accounts (A) into global groups (G), then add global groups into domain local groups (DL), and then grant published object or resource permissions (P) to the domain local groups. This is referred to as A G DL P, and it provides the most flexibility and the best tracking for administrative purposes of granting access permissions to network resources.

This method and design is available in both mixed and native domain modes.

In a pure native mode environment you can use the A G U DL P design.

In a native mode, multiple domain forest you put user accounts (A) into global groups (G) and add the global groups to universal groups (U), put the universal groups into domain local groups (DL), and then grant permissions (P) to the domain local group.

This article was originally published on Aug 1, 2002
Page 2 of 3

Thanks for your registration, follow us on our social networks to keep up-to-date