IT tutorials
 
Applications Server
 

Administering Active Directory Domain Services : Delegation and Security of Active Directory Objects (part 2)

12/3/2012 10:29:36 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Assigning a Permission Using the Advanced Security Settings Dialog Box

Imagine a scenario in which you want to allow the help desk to change the password on James Fine’s account, and only James Fine’s account. In this section, you learn to do it the most complicated way first: by assigning the ACE on the DACL of the user object. Later, you’ll learn how to perform the delegation by using the Delegation Of Control Wizard for the entire OU of users, and you’ll see why this latter practice is recommended.

  1. Open the Active Directory Users And Computers snap-in.

  2. On the View menu, select the Advanced Features option.

  3. Right-click an object and click Properties.

  4. On the the Security tab, click Advanced.

  5. Click Add.

    If you have User Account Control enabled, you might need to click Edit and, perhaps, enter administrative credentials before the Add button will appear.

  6. In the Select dialog box, select the security principal to which permissions will be assigned.

    It is an important best practice to assign permissions to groups, not to individual users.

    In this example, you would select your Help Desk group.

  7. Click OK.

    The Permission Entry dialog box appears.

  8. Configure the permissions you want to assign.

    For our example, on the Object tab, scroll down the list of Permissions and select Allow::Reset Password.

  9. Click OK to close each dialog box.

Understanding and Managing Permissions with Inheritance

You can imagine that giving the help desk permission to reset passwords for each individual user object would be a nightmare. Luckily, you don’t have to, and, in fact, it’s a terrible practice to give permissions to individual objects in Active Directory. Instead, you give permissions to organizational units. The permissions you give to an OU are inherited by all objects in the OU. So, if you give the help desk permission to reset passwords for user objects, and you attach that permission to the OU that contains your users, all user objects within that OU inherit that permission. With one step, you delegate that administrative task.

Inheritance is an easy concept to understand. Child objects inherit the permissions of the parent container or OU. That container or OU in turn inherits its permissions from its parent container, OU, or, if it is a first-level container or OU, from the domain itself. The reason child objects inherit permissions from their parents is that, by default, each new object is created with the Include Inheritable Permissions From This Object’s Parent option enabled. You can see the option in Figure 2.

However, note that as the option indicates, only inheritable permissions are inherited by the child object. Not every permission is inheritable. For example, the permission to reset passwords, when assigned to an OU, would not be inherited by group objects because group objects do not have a password attribute. So inheritance can be scoped to specific object classes; passwords are applicable to user objects, not to groups. Additionally, you can use the Apply To box of the Permission Entry dialog box to scope the inheritance of a permission. The conversation can start to get very complicated. What you should know is that, by default, new objects inherit inheritable permissions from their parent object—usually an OU or container.

What if the permission that is being inherited is not appropriate? You can do three things to modify the permissions that a child object is inheriting.

First, you can disable inheritance by clearing the Include Inheritable Permissions From This Object’s Parent option in the Advanced Security Settings dialog box. When you do, the object no longer inherits any permissions from its parent—all permissions are explicitly defined for the child object. This is generally not a good practice, as it creates an exception to all the rules that are being created by permissions of parent containers.

The second option is to allow inheritance but override the inherited permission with a permission assigned specifically to the child object—an explicit permission. Explicit permissions always override permissions that are inherited from parent objects. This has an important implication: an explicit permission that allows access will actually override an inherited permission that denies the same access. If that sounds counterintuitive to you, it is not: the rule (Deny) is being defined by a parent, but the child object has been configured to be an exception (Allow).

Third, you can change the scope of inheritance on the parent permission itself by changing the option in the Apply To drop-down list in the Permission Entry dialog box. In most cases, this is the best practice. What you are doing, in effect, is defining the security policy in the form of the ACL more accurately at its source, rather than trying to override it further down the tree.

Tip

EXAM TIP

Look out for scenarios in which access or delegation are not performing as expected, either because inheritance has been broken—the child is no longer inheriting permissions from its parent—or because the child object has an explicit permission that overrides the permissions of the parent.

Delegating Administrative Tasks with the Delegation Of Control Wizard

You’ve seen the complexity of the DACL, and you’ve probably gleaned that managing permissions by using the Permission Entry dialog box is not a simple task. Luckily, the best practice is not to manage permissions by using the security interfaces but, rather, to use the Delegation Of Control Wizard. The following procedure explains the use of the wizard.

  1. Open the Active Directory Users And Computers snap-in.

  2. Right-click the node (Domain or OU) for which you want to delegate administrative tasks or control, and then click Delegate Control.

    In this example, select the OU that contains your users.

    The Delegation Of Control Wizard appears and guides you through the required steps.

  3. Click Next.

    The first step is to select the administrative group to which you are granting privileges.

  4. On the Users Or Groups page, click Add.

  5. Use the Select dialog box to select the group and click OK.

  6. Click Next.

    The next step is to specify the specific task you wish to assign that group.

  7. On the Tasks To Delegate page, select the task.

    In this example, you select the Reset User Passwords And Force Password Change At Next Logon task.

  8. Click Next.

  9. Review the summary of the actions that have been performed and click Finish.

    The Delegation Of Control Wizard applies the ACEs that are required to enable the selected group to perform the specified task.

Reporting and Viewing Permissions

You can view and report permissions several ways when you need to know who can do what. You’ve already seen that you can view permissions on the DACL by using the Advanced Security Settings and Permission Entry dialog boxes.

DSACLs (Dsacls.exe) is also available as a command-line tool that reports on directory service objects. If you type the command followed by the distinguished name of an object, you see a report of the object’s permissions. For example, this command produces a report of the permissions associated with the User Accounts OU:

dsacls.exe"ou=User Accounts,dc=contoso,dc=com"

DSACLs can also be used to set permissions—to delegate. Type dsacls.exe /? for help regarding the syntax and usage of DSACLs.

Removing or Resetting Permissions on an Object

How do you remove or reset permissions that have been delegated? Unfortunately, there is no “undelegate” command. You must do one of the following:

  • Open the Advanced Security Settings and Permission Entry dialog boxes to remove permissions.

  • If you want to reset the permissions on the object back to the defaults, open the Advanced Security Settings dialog box and click Restore Defaults. The default permissions are defined by the Active Directory schema for the class of object. After you’ve restored the defaults, you can reconfigure the explicit permissions you want to add to the DACL.

  • DSACLs also provides the /s switch to reset permissions to the schema-defined defaults, and the /t switch to make the change for the entire “tree”—the object and all of its child objects. For example, to reset permissions on the User Accounts OU and all of its child OUs and objects, you would enter:

    dsacls"ou=User Accounts,dc=contoso,dc=com" /s /t

Understanding Effective Permissions

Effective permissions are the resulting permissions for a security principal, such as a user or group, based on the cumulative effect of each inherited and explicit ACE. Your ability to reset a user’s password, for example, may be a result of your membership in a group that was given Reset Password permission on an OU several levels above the user object. The inherited permission assigned to a group to which you belong resulted in an effective permission of Allow::Reset Password. Your effective permissions can be complicated when you consider Allow and Deny permissions, explicit and inherited ACEs, and the fact that you may belong to multiple groups, each of which may be assigned different permissions.

Permissions, whether assigned to your user account or to a group to which you belong, are equivalent. In the end, an ACE applies to you, the user. The best practice is to manage permissions by assigning them to groups, but it is also possible to assign ACEs to individual users or computers. A permission that has been assigned directly to you is neither more important nor less important than a permission assigned to a group to which you belong.

Permissions that allow access (Allow permissions) are cumulative. When you belong to several groups, and those groups have been granted permissions that allow a variety of tasks, you can perform all of the tasks assigned to all of those groups as well as tasks assigned directly to your user account.

Permissions that deny access (Deny permissions) override equivalent Allow permissions. If you are in one group that has been allowed the permission to reset passwords, and another group that has been denied permission to reset passwords, the Deny permission prevents you from resetting passwords.

Note

USE DENY PERMISSIONS SPARINGLY

It is generally unnecessary to assign Deny permissions. If you simply do not assign an allow permission, users cannot perform the task. Before assigning a Deny permission, check to see if you could achieve your goal by removing an Allow permission instead. Use Deny permissions rarely and thoughtfully.

Each permission is granular. For example, if you have been denied the ability to reset passwords, you might still have the ability, through other Allow permissions, to change the user’s logon name or email address.

Finally, you learned earlier in this lesson that child objects inherit the inheritable permissions of parent objects by default, and that explicit permissions can override inheritable Permissions. This means that an explicit Allow permission actually overrides an inherited deny permission.

Unfortunately, the complex interaction of user, group, explicit, inherited, Allow, and Deny permissions can make evaluating effective permissions a bit of a chore. There is an Effective Permissions tab in the Advanced Security Settings dialog box of an Active Directory object, but the tab is practically useless: It does not expose enough permissions to provide the kind of detailed information you require. You can use the permissions reported by the DSACLs command or those reported on the Permissions tab of the Advanced Security Settings dialog box to begin evaluating effective permissions, but it will be a manual task.

Note

MORE INFO ROLE-BASED ACCESS CONTROL

The best way to manage delegation in Active Directory is through role-based access control. Although this approach will not be covered on the certification exam, it is well worth understanding for real-world implementation of delegation. See Windows Administration Resource Kit: Productivity Solutions for IT Professionals, by Dan Holme (Microsoft Press, 2008) for more information.

Designing an OU Structure to Support Delegation

OUs are, as you now know, administrative containers. They contain objects that share similar requirements for administration, configuration, and visibility. You now understand the first of those requirements: administration. Objects that will be administered the same way, by the same administrators, should be contained within a single OU. By placing your users in a single OU, perhaps called User Accounts, you could delegate the help desk permission to change all users’ passwords by assigning one permission to one OU. Any other permissions that affect what an administrator can do to a user object would be assigned at the User Accounts OU. For example, you might allow your Human Resources managers to disable user accounts in the event of an employee’s termination. You would delegate that permission, again, to the User Accounts OU.

Remember that administrators should be logging on to their systems with user credentials and launching administrative tools with the credentials of a secondary account that has appropriate permissions to perform administrative tasks. Those secondary accounts are the administrative accounts of the enterprise. It is not appropriate for the front-line help desk to be able to reset passwords on such privileged accounts, and you probably would not want human resources managers to disable administrative accounts. Therefore, administrative accounts should be administered differently than “normal” (non-administrative) user accounts. That’s why you would have a separate OU, such as Admins, for administrative user objects. That OU would be delegated quite differently than the User Accounts OU.

Similarly, you might delegate to the desktop support team the ability to add computer objects to an OU called Client Computers, which contains your desktops and laptops, but not to the Servers OU, where only your Server Administration group has permissions to create and manage computer objects.

The primary role of OUs is to efficiently scope delegation—to apply permissions to objects and sub-OUs. When you design an Active Directory environment, you always begin by designing an OU structure that will make delegation efficient—a structure that reflects the administrative model of your organization. Rarely does object administration in Active Directory look like your organizational chart. Typically, all normal user accounts are supported the same way, by the same team—so user objects are often found in a single OU or a single OU branch. Quite often an organization that has a centralized help desk function to support users also has a centralized desktop support function, in which case all client computer objects are within a single OU or single OU branch. But if desktop support is decentralized, it would be likely that the Client Computers OU would be divided into sub-OUs representing geographic locations, where each location was delegated to allow the local support team to add computer objects to the domain in that location.

Design OUs first to enable the efficient permissioning (delegation) of objects in the directory. After you have achieved that design, you can refine the design to facilitate the configuration of computers and users through Group Policy. Active Directory design is an art and a science.

Practice Delegating Administrative Tasks

Practice Delegating Administrative Tasks

In this practice, you manage the delegation of administrative tasks within the contoso.com domain and view the resulting changes to ACLs on Active Directory objects. 

EXERCISE: 1 Delegate Control for Support of User Accounts

In this exercise, you enable the help desk to support users by resetting passwords and unlocking user accounts in the User Accounts OU.

  1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

  2. Expand the domain node, contoso.com, right-click the User Accounts OU, and click Delegate Control to launch the Delegation Of Control Wizard.

  3. Click Next.

  4. On the Users Or Groups page, click Add.

  5. In the Select dialog box, type Help Desk, and then click OK.

  6. Click Next.

  7. On the Tasks To Delegate page, select the Reset User Passwords And Force Password Change At Next Logon task.

  8. Click Next.

  9. Review the summary of the actions that have been performed and click Finish.

EXERCISE 2 View Delegated Permissions

In this exercise, you view the permissions you assigned to the Help Desk group.

  1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.

  2. Right-click the User Accounts OU and choose Properties.

    Note that the Security tab is not visible. If Advanced Features is not enabled, you cannot see the Security tab in an object’s Properties dialog box.

  3. Click OK to close the Properties dialog box.

  4. On the View menu, select the Advanced Features option.

  5. Right-click the User Accounts OU and choose Properties.

  6. On the Security tab, click Advanced.

  7. In the Permission Entries list, select the first permission assigned to the Help Desk group.

  8. Click Edit.

  9. In the Permission Entry dialog box, locate the permission that is assigned, and then click OK to close the dialog box.

  10. Repeat steps 7–9 for the second permission entry assigned to the Help Desk group.

  11. Right-click a user object in the User Accounts OU and choose Properties. Repeat steps 6–10 to examine the inherited permissions assigned to the Help Desk group.

  12. Open Command Prompt, type dsacls “ou=User Accounts,dc=contoso,dc=com”, and press Enter.

  13. Locate the permissions assigned to the Help Desk group.

 
Others
 
- Administering Active Directory Domain Services : Delegation and Security of Active Directory Objects (part 1)
- Microsoft Dynamics AX 2009 : Creating configuration documents using Word
- Microsoft Dynamics AX 2009 : Creating Word documents from templates
- SharePoint Applications Using Windows Azure : Create a Web Part That Uses the Windows Azure WCF Service
- SharePoint Applications Using Windows Azure : Create a WCF Service and Deploy It to Windows Azure
- Deploying Exchange Server 2010 : Integrating Exchange Server Roles with Active Directory
- Deploying Exchange Server 2010 : Exchange Server Messaging Roles
- SharePoint 2010: Performing Backups and Restores (part 3) - Example of Performing a SharePoint 2010 Farm Backup and Restore
- SharePoint 2010: Performing Backups and Restores (part 2) - Using STSADM
- SharePoint 2010: Performing Backups and Restores (part 1) - Using Windows PowerShell
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us