Learn AD in 15 Minutes a Week: Delegation of Authority - Assigning Object Permissions Page 3

Setting Permission Levels

You can allow or deny permissions for every object in Active Directory.

Denied permissions take precedence over any other level of permission that is otherwise set for a user or group, even full control. If a specific user is denied access and is allowed full control from six other groups that user belongs to, they will still be denied access. If a specific group is denied access but all of those members are explicitly given full control to their specific user accounts and through two other group memberships, they will still be denied.

[NOTES FROM THE FIELD] - As with all things Microsoft, there is an exception to this rule. An explicit Allow permission on an object takes precedence over an inherited Deny permission. That is, if you are denied access to something through inheritance and an administrator grants you a specific permission directly to a given object that received its original permissions through inheritance, be it deny or an original lesser setting, that specific setting on the object takes precedence, even in the case of overriding an inherited deny.

This would also be the case at a lesser extreme as well. An explicit Write setting trumps an inherited Read permission.

When permission to perform an operation is not explicitly assigned, it is implicitly denied. What this means is that if you are not intentionally given any permissions to an object, you are denied access to it by the fact that you have not been assigned any access in the first place.

When permission to perform an operation is implicitly assigned, it can be explicitly denied. What this means is that if permissions are set via inheritance or through group membership, it can still be set to deny at a local object. If a specific user is gaining access to an object through inheritance, you can set a local deny for that user on the object itself. If a specific user is gaining access to an object through group membership and you want that group but not that given user to have the access, you can deny the user access locally at the object.

There are two different types of permissions that can be set, Standard Permissions and Special Permissions.

Standard Permissions are the ones that can be set on the main property sheet of an object through the Security tab.

Full Control allows for a change in permissions and the ability to take ownership and perform the tasks that are allowed by all other standard permissions.

Read allows for the viewing of objects and object attributes, the object owner, and the Active Directory permissions.

Write allows for the ability to change attributes of an object.

Create All Child Objects allows for the addition of any type of child object in Active Directory.

Delete All Child Objects allows for the removal of any type of child object in Active Directory.

While it is possible to assign permissions directly to users, best practices dictate that Administrators should only assign permissions to groups for the easiest administration.

Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week covering the Windows 2000 Active Directory Delegation of Authority - Assigning Permissions. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies and remember,

"I still yet have to figure out why there are 5 syllables in the word "monosyllabic"?"

Jason Zandri


This article was originally published on Aug 1, 2002
Page 3 of 3

Thanks for your registration, follow us on our social networks to keep up-to-date