1

Chapter Overview

Managing Object and Container Permissions

Locating and Moving Active Directory Objects

Delegating Control Troubleshooting Active Directory

Service

2

Managing Object and Container Permissions

Microsoft Windows 2000 uses an object-based security model to implement access control for all Active Directory objects.

Every Active Directory object has a security descriptor that defines Who has permissions to access the object What type of access is allowed

3

Understanding Active Directory Permissions Active Directory permissions let you control

Who can access individual objects and object attributes The type of access allowed

Either an administrator or the object's owner must assign permissions to the object before users can access the object.

Windows 2000 stores a list of user permissions, called the access control list (ACL), in every Active Directory object.

You can use permissions to grant administrative privileges to a specific user or group for an organizational unit (OU), a hierarchy of OUs, or a single object, without assigning them administrative permissions for other Active Directory objects.

4

Object Permissions

The permissions you can grant for an object vary, depending on the object type.

When you assign permission to a user who is a member of a group that has different permissions, the user's effective permission is the combination of the user and group permissions. For example, Read + Write = Read and Write

5

Object Permissions (Cont.) You can allow or deny permissions to Active

Directory objects, like you can for NT file system (NTFS) and share permissions.

Denied permissions take precedence over assigned permissions.

Deny permissions only when absolutely necessary.

Ensure that every Active Directory object has at least one user with the Full Control permission.

6

Standard Permissions and Special Permissions

You can set standard and special permissions for Active Directory objects.

Standard permissions Are the most frequently used combinations

of special permissions Simplify the task of controlling access to the

Active Directory service Special permissions provide a finer

degree of access control.

7

Standard Permissions

Object Permission

Enables the user to

Full Control Change permissions, take ownership, and perform tasks allowed by all other standard permissions

Read View objects and object attributes, the object owner, and Active Directory permissions

Write Change object attributes

Create All Child Objects

Add any type of child object to an OU

Delete All Child Objects

Remove any type of object from an OU

8

Assigning Active Directory Permissions You use Active Directory Users And Computers

to set standard permissions for objects and object attributes.

You assign standard permissions in the Security tab of an object's Properties dialog box.

If check boxes in the Permissions list of the Properties dialog box are shaded, the object has inherited permissions from a parent object.

Standard permissions are usually sufficient for most administrative tasks.

9

The Permission Entry For Users Dialog Box

10

Assigning Special Permissions for an Active Directory Object

To assign special permissions for an Active Directory object:

1. Open the Properties dialog box for the object, click the Security tab, and then click Advanced.2. In the Permissions tab, select an entry to view or edit, and then click View/Edit.3. In the Object tab in the Permission Entry For Users dialog box, change permissions as needed, and then click OK.

11

Using Permissions Inheritance When you assign permissions to Active

Directory objects, you can specify that the permissions be applied to this object only or to this object and all child objects. For example, you can grant a group the Full

Control permission for an OU that contains printers, and specify that the permission be applied to this object and all child objects.

In this case, all of the group's members can administer all of the printers in the OU.

12

Using Permissions Inheritance (Cont.) To prevent a child object from inheriting

permissions from a parent object:1.   In the Security tab in the child object's Properties dialog box, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.2.  Select the Copy option or the Remove option.

Copy: copies the previously inherited permissions to the object, which you can then modify

Remove: removes all previously inherited permissions, giving you a blank slate to assign any necessary permissions

13

Lesson Summary Every Active Directory object has a security

descriptor that defines who has permission to access the object and what type of access is allowed.

Use Active Directory Users And Computers to assign standard and special permissions for objects and object attributes.

You can specify that the permissions be applied to this object only, or be applied to this object and all child objects.

To prevent a child object from inheriting permissions from a parent object, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box in the child object’s Properties dialog box.

14

Locating and Moving Active Directory Objects

Active Directory stores information about objects on the network.

Each object is a set of attributes that represents a specific network entity.

You can move Active Directory objects from one location to another when organizational or administrative functions change.

15

The Most Common Active Directory Objects

User Contact Group Shared folder Printer Computer Domain controller Organizational unit (OU)

16

Locating Active Directory Objects Active Directory maintains a Global Catalog

of the entire directory. The Global Catalog Contains key information about every object in

every domain Stores key attributes used for searching

Any domain controller can be designated a Global Catalog server.

You can run basic and advanced searches for Active Directory objects by using the Find dialog box in Active Directory Users And Computers.

17

The Find Users, Contacts, And Groups Dialog Box

18

The Advanced Search Interface

19

Condition Options in the Advanced Search Interface

20

Moving Active Directory Objects You can move Active Directory objects.

For example, to accommodate physical changes on the network or personnel changes between departments

Objects can be moved to a new container, OU, domain, or site.

You can move Active Directory objects within and between domains.

You can move domain controllers between sites.

21

Moving Objects Within a Domain

You can move Active Directory objects to different OUs or containers within a domain.

To use Active Directory Users And Computers to move objects within a domain:1.  In the console tree, right-click the object you want to move, and then select Move.

2.  Select the OU or container you want to move the object to, and then click OK.

22

The Move Dialog Box

23

Conditions When Moving Objects Within a Domain

When you move an object between OUs or containers within a domain Permissions that are assigned directly to the

object remain in force after the object is moved

The moved object no longer inherits permissions from its old OU or container; instead, the object inherits permissions from its new parent OU or container

You can move multiple objects at the same time

24

Moving Objects Between Domains

You can use the Movetree command-line utility to move Active Directory objects between domains in a single forest, with some exceptions. Movetree is part of the Windows 2000

Support Tools, which can be installed from the Microsoft Windows 2000 Server CD-ROM.

25

Moving Objects Between Domains (Cont.)

To move an existing object, you must make the object a child of an existing parent object that already resides in the new location.

Movetree enables you to move an OU to another domain while keeping all of the linked group policy objects (GPOs) in the old domain intact.

26

Moving Domain Controllers Between Sites

When you install the first domain controller in the forest, Windows 2000 automatically creates the Default-First-Site-Name site, and installs the domain controller in that site.

You can use Active Directory Sites And Services to move domain controllers from one site to another.

27

The Move Server Dialog Box

28

Lesson Summary Use the Find dialog box in Active Directory

Users And Computers to locate Active Directory objects.

To move Active Directory objects to different locations in the same domain, use Active Directory Users And Computers.

To move objects to a different domain, use the Movetree.exe command-line utility.

To move a domain controller to a different site, use Active Directory Sites And Services.

29

Delegating Control

You can delegate administrative control of Active Directory objects to individuals so they can perform administrative tasks on the objects.

30

Guidelines for Delegating Control You delegate administrative control of

objects by assigning permissions to the objects to allow users or groups of users to administer the objects.

An administrator can assign a user or group the permissions to Change the properties of a specific container Create, modify, or delete specified types of

objects in a specific OU or container Modify specific properties of specified types of

objects in a specific OU or container

31

Suggested Guidelines for Delegating Administrative Control Assign control at the OU or container

level whenever possible. This is the most common method of

assigning administrative control. Use the Delegation Of Control Wizard. Track and record the delegation of

permission assignments. Follow the business requirements of

your organization.

32

The Delegation Of Control Wizard

This wizard takes you through the process of assigning permissions at the OU or container level.

To start the wizard:1. Open Active Directory Users And

Computers. 2. Right-click the container or OU for which

you want to delegate control, and then select Delegate Control.

33

The Select Users, Computers, Or Groups Dialog Box

34

The Tasks To Delegate Page

35

Lesson Summary

You can delegate administrative control of objects to individuals so they can perform administrative tasks on the objects.

Assign permissions at the OU or container level whenever possible.

Use the Delegation Of Control Wizard to grant users or groups control of specific object types in an OU or container.

36

Active Directory Troubleshooting Scenarios

Symptom: Cannot add or remove a domain

Cause: The domain naming master is not available.

Solution: Resolve the network connectivity problem or repair or replace the domain naming master computer. It might be necessary to seize the domain

naming master role.

37

Active Directory Troubleshooting Scenarios (Cont.)

Symptom: Cannot create objects in Active Directory

Cause: The relative ID master is not available.

Solution: Resolve the network connectivity problem or repair or replace the computer holding the relative ID master role. It might be necessary to seize the relative ID

master role.

38

Active Directory Troubleshooting Scenarios (Cont.)

Symptom: Cannot modify the schema Cause: The schema master is not

available. Solution: Resolve the network

connectivity problem or repair or replace the computer holding the schema master role. It might be necessary to seize the schema

master role.

39

Active Directory Troubleshooting Scenarios (Cont.)

Symptom: Changes to group memberships are not taking effect.

Cause: The infrastructure master is not available.

Solution: Resolve the network connectivity problem or repair or replace the computer holding the infrastructure master role. It might be necessary to seize the

infrastructure master role.

40

Active Directory Troubleshooting Scenarios (Cont.)

Symptom: Clients without Active Directory client software installed cannot log on.

Cause: The primary domain controller emulator is not available.

Solution: Resolve the network connectivity problem or repair or replace the computer holding the primary domain controller emulator role. It might be necessary to seize the primary

domain controller emulator role.

41

Active Directory Troubleshooting Scenarios (Cont.)

Symptom: Clients cannot access resources in another domain.

Cause: A failure of the trust between the domains has occurred.

Solution: Reset and verify the trust between the domains. The primary domain controller emulator

must be available for a trust to be successfully reset.

42

Lesson Summary The domain naming master is needed to add

or remove Active Directory domains. The relative ID master is needed to create

new objects in Active Directory. The schema master is needed to modify the

Active Directory schema. The infrastructure master is needed to

change group memberships. The primary domain controller emulator is

needed to log on to computers not running Active Directory client software.