1 chapter overview managing object and container permissions locating and moving active directory...
TRANSCRIPT
1
Chapter Overview
Managing Object and Container Permissions
Locating and Moving Active Directory Objects
Delegating Control Troubleshooting Active Directory
Service
2
Managing Object and Container Permissions
Microsoft Windows 2000 uses an object-based security model to implement access control for all Active Directory objects.
Every Active Directory object has a security descriptor that defines Who has permissions to access the object What type of access is allowed
3
Understanding Active Directory Permissions Active Directory permissions let you control
Who can access individual objects and object attributes The type of access allowed
Either an administrator or the object's owner must assign permissions to the object before users can access the object.
Windows 2000 stores a list of user permissions, called the access control list (ACL), in every Active Directory object.
You can use permissions to grant administrative privileges to a specific user or group for an organizational unit (OU), a hierarchy of OUs, or a single object, without assigning them administrative permissions for other Active Directory objects.
4
Object Permissions
The permissions you can grant for an object vary, depending on the object type.
When you assign permission to a user who is a member of a group that has different permissions, the user's effective permission is the combination of the user and group permissions. For example, Read + Write = Read and Write
5
Object Permissions (Cont.) You can allow or deny permissions to Active
Directory objects, like you can for NT file system (NTFS) and share permissions.
Denied permissions take precedence over assigned permissions.
Deny permissions only when absolutely necessary.
Ensure that every Active Directory object has at least one user with the Full Control permission.
6
Standard Permissions and Special Permissions
You can set standard and special permissions for Active Directory objects.
Standard permissions Are the most frequently used combinations
of special permissions Simplify the task of controlling access to the
Active Directory service Special permissions provide a finer
degree of access control.
7
Standard Permissions
Object Permission
Enables the user to
Full Control Change permissions, take ownership, and perform tasks allowed by all other standard permissions
Read View objects and object attributes, the object owner, and Active Directory permissions
Write Change object attributes
Create All Child Objects
Add any type of child object to an OU
Delete All Child Objects
Remove any type of object from an OU
8
Assigning Active Directory Permissions You use Active Directory Users And Computers
to set standard permissions for objects and object attributes.
You assign standard permissions in the Security tab of an object's Properties dialog box.
If check boxes in the Permissions list of the Properties dialog box are shaded, the object has inherited permissions from a parent object.
Standard permissions are usually sufficient for most administrative tasks.
9
The Permission Entry For Users Dialog Box
10
Assigning Special Permissions for an Active Directory Object
To assign special permissions for an Active Directory object:
1. Open the Properties dialog box for the object, click the Security tab, and then click Advanced.2. In the Permissions tab, select an entry to view or edit, and then click View/Edit.3. In the Object tab in the Permission Entry For Users dialog box, change permissions as needed, and then click OK.
11
Using Permissions Inheritance When you assign permissions to Active
Directory objects, you can specify that the permissions be applied to this object only or to this object and all child objects. For example, you can grant a group the Full
Control permission for an OU that contains printers, and specify that the permission be applied to this object and all child objects.
In this case, all of the group's members can administer all of the printers in the OU.
12
Using Permissions Inheritance (Cont.) To prevent a child object from inheriting
permissions from a parent object:1. In the Security tab in the child object's Properties dialog box, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.2. Select the Copy option or the Remove option.
Copy: copies the previously inherited permissions to the object, which you can then modify
Remove: removes all previously inherited permissions, giving you a blank slate to assign any necessary permissions
13
Lesson Summary Every Active Directory object has a security
descriptor that defines who has permission to access the object and what type of access is allowed.
Use Active Directory Users And Computers to assign standard and special permissions for objects and object attributes.
You can specify that the permissions be applied to this object only, or be applied to this object and all child objects.
To prevent a child object from inheriting permissions from a parent object, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box in the child object’s Properties dialog box.
14
Locating and Moving Active Directory Objects
Active Directory stores information about objects on the network.
Each object is a set of attributes that represents a specific network entity.
You can move Active Directory objects from one location to another when organizational or administrative functions change.
15
The Most Common Active Directory Objects
User Contact Group Shared folder Printer Computer Domain controller Organizational unit (OU)
16
Locating Active Directory Objects Active Directory maintains a Global Catalog
of the entire directory. The Global Catalog Contains key information about every object in
every domain Stores key attributes used for searching
Any domain controller can be designated a Global Catalog server.
You can run basic and advanced searches for Active Directory objects by using the Find dialog box in Active Directory Users And Computers.
17
The Find Users, Contacts, And Groups Dialog Box
18
The Advanced Search Interface
19
Condition Options in the Advanced Search Interface
20
Moving Active Directory Objects You can move Active Directory objects.
For example, to accommodate physical changes on the network or personnel changes between departments
Objects can be moved to a new container, OU, domain, or site.
You can move Active Directory objects within and between domains.
You can move domain controllers between sites.
21
Moving Objects Within a Domain
You can move Active Directory objects to different OUs or containers within a domain.
To use Active Directory Users And Computers to move objects within a domain:1. In the console tree, right-click the object you want to move, and then select Move.
2. Select the OU or container you want to move the object to, and then click OK.
22
The Move Dialog Box
23
Conditions When Moving Objects Within a Domain
When you move an object between OUs or containers within a domain Permissions that are assigned directly to the
object remain in force after the object is moved
The moved object no longer inherits permissions from its old OU or container; instead, the object inherits permissions from its new parent OU or container
You can move multiple objects at the same time
24
Moving Objects Between Domains
You can use the Movetree command-line utility to move Active Directory objects between domains in a single forest, with some exceptions. Movetree is part of the Windows 2000
Support Tools, which can be installed from the Microsoft Windows 2000 Server CD-ROM.
25
Moving Objects Between Domains (Cont.)
To move an existing object, you must make the object a child of an existing parent object that already resides in the new location.
Movetree enables you to move an OU to another domain while keeping all of the linked group policy objects (GPOs) in the old domain intact.
26
Moving Domain Controllers Between Sites
When you install the first domain controller in the forest, Windows 2000 automatically creates the Default-First-Site-Name site, and installs the domain controller in that site.
You can use Active Directory Sites And Services to move domain controllers from one site to another.
27
The Move Server Dialog Box
28
Lesson Summary Use the Find dialog box in Active Directory
Users And Computers to locate Active Directory objects.
To move Active Directory objects to different locations in the same domain, use Active Directory Users And Computers.
To move objects to a different domain, use the Movetree.exe command-line utility.
To move a domain controller to a different site, use Active Directory Sites And Services.
29
Delegating Control
You can delegate administrative control of Active Directory objects to individuals so they can perform administrative tasks on the objects.
30
Guidelines for Delegating Control You delegate administrative control of
objects by assigning permissions to the objects to allow users or groups of users to administer the objects.
An administrator can assign a user or group the permissions to Change the properties of a specific container Create, modify, or delete specified types of
objects in a specific OU or container Modify specific properties of specified types of
objects in a specific OU or container
31
Suggested Guidelines for Delegating Administrative Control Assign control at the OU or container
level whenever possible. This is the most common method of
assigning administrative control. Use the Delegation Of Control Wizard. Track and record the delegation of
permission assignments. Follow the business requirements of
your organization.
32
The Delegation Of Control Wizard
This wizard takes you through the process of assigning permissions at the OU or container level.
To start the wizard:1. Open Active Directory Users And
Computers. 2. Right-click the container or OU for which
you want to delegate control, and then select Delegate Control.
33
The Select Users, Computers, Or Groups Dialog Box
34
The Tasks To Delegate Page
35
Lesson Summary
You can delegate administrative control of objects to individuals so they can perform administrative tasks on the objects.
Assign permissions at the OU or container level whenever possible.
Use the Delegation Of Control Wizard to grant users or groups control of specific object types in an OU or container.
36
Active Directory Troubleshooting Scenarios
Symptom: Cannot add or remove a domain
Cause: The domain naming master is not available.
Solution: Resolve the network connectivity problem or repair or replace the domain naming master computer. It might be necessary to seize the domain
naming master role.
37
Active Directory Troubleshooting Scenarios (Cont.)
Symptom: Cannot create objects in Active Directory
Cause: The relative ID master is not available.
Solution: Resolve the network connectivity problem or repair or replace the computer holding the relative ID master role. It might be necessary to seize the relative ID
master role.
38
Active Directory Troubleshooting Scenarios (Cont.)
Symptom: Cannot modify the schema Cause: The schema master is not
available. Solution: Resolve the network
connectivity problem or repair or replace the computer holding the schema master role. It might be necessary to seize the schema
master role.
39
Active Directory Troubleshooting Scenarios (Cont.)
Symptom: Changes to group memberships are not taking effect.
Cause: The infrastructure master is not available.
Solution: Resolve the network connectivity problem or repair or replace the computer holding the infrastructure master role. It might be necessary to seize the
infrastructure master role.
40
Active Directory Troubleshooting Scenarios (Cont.)
Symptom: Clients without Active Directory client software installed cannot log on.
Cause: The primary domain controller emulator is not available.
Solution: Resolve the network connectivity problem or repair or replace the computer holding the primary domain controller emulator role. It might be necessary to seize the primary
domain controller emulator role.
41
Active Directory Troubleshooting Scenarios (Cont.)
Symptom: Clients cannot access resources in another domain.
Cause: A failure of the trust between the domains has occurred.
Solution: Reset and verify the trust between the domains. The primary domain controller emulator
must be available for a trust to be successfully reset.
42
Lesson Summary The domain naming master is needed to add
or remove Active Directory domains. The relative ID master is needed to create
new objects in Active Directory. The schema master is needed to modify the
Active Directory schema. The infrastructure master is needed to
change group memberships. The primary domain controller emulator is
needed to log on to computers not running Active Directory client software.