Chapter Overview

1
Chapter Overview

• Managing Object and Container Permissions
• Locating and Moving Active Directory Objects
• Delegating Control
• Troubleshooting Active Directory Service

2
Managing Object and Container Permissions

• Microsoft Windows 2000 uses an object-based
  security model to implement access control for
  all Active Directory objects.
• Every Active Directory object has a security
  descriptor that defines
• Who has permissions to access the object
• What type of access is allowed

3
Understanding Active Directory Permissions

• Active Directory permissions let you control
• Who can access individual objects and object
  attributes
• The type of access allowed
• Either an administrator or the object's owner
  must assign permissions to the object before
  users can access the object.
• Windows 2000 stores a list of user permissions,
  called the access control list (ACL), in every
  Active Directory object.
• You can use permissions to grant administrative
  privileges to a specific user or group for an
  organizational unit (OU), a hierarchy of OUs, or
  a single object, without assigning them
  administrative permissions for other Active
  Directory objects.

4
Object Permissions

• The permissions you can grant for an object vary,
  depending on the object type.
• When you assign permission to a user who is a
  member of a group that has different permissions,
  the user's effective permission is the
  combination of the user and group permissions.
• For example, Read Write Read and Write

5
Object Permissions (Cont.)

• You can allow or deny permissions to Active
  Directory objects, like you can for NT file
  system (NTFS) and share permissions.
• Denied permissions take precedence over assigned
  permissions.
• Deny permissions only when absolutely necessary.
• Ensure that every Active Directory object has at
  least one user with the Full Control permission.

6
Standard Permissions and Special Permissions

• You can set standard and special permissions for
  Active Directory objects.
• Standard permissions
• Are the most frequently used combinations of
  special permissions
• Simplify the task of controlling access to the
  Active Directory service
• Special permissions provide a finer degree of
  access control.

7
Standard Permissions
Object Permission Enables the user to
Full Control Change permissions, take ownership, and perform tasks allowed by all other standard permissions
Read View objects and object attributes, the object owner, and Active Directory permissions
Write Change object attributes
Create All Child Objects Add any type of child object to an OU
Delete All Child Objects Remove any type of object from an OU
8
Assigning Active Directory Permissions

• You use Active Directory Users And Computers to
  set standard permissions for objects and object
  attributes.
• You assign standard permissions in the Security
  tab of an object's Properties dialog box.
• If check boxes in the Permissions list of the
  Properties dialog box are shaded, the object has
  inherited permissions from a parent object.
• Standard permissions are usually sufficient for
  most administrative tasks.

9
The Permission Entry For Users Dialog Box
10
Assigning Special Permissions for an Active
Directory Object

• To assign special permissions for an Active
  Directory object
• 1. Open the Properties dialog box for the
  object, click the Security tab, and then click
  Advanced.
• 2. In the Permissions tab, select an entry to
  view or edit, and then click View/Edit.
• 3. In the Object tab in the Permission Entry For
  Users dialog box, change permissions as needed,
  and then click OK.

11
Using Permissions Inheritance

• When you assign permissions to Active Directory
  objects, you can specify that the permissions be
  applied to this object only or to this object and
  all child objects.
• For example, you can grant a group the Full
  Control permission for an OU that contains
  printers, and specify that the permission be
  applied to this object and all child objects.
• In this case, all of the group's members can
  administer all of the printers in the OU.

12
Using Permissions Inheritance (Cont.)

• To prevent a child object from inheriting
  permissions from a parent object
• 1.   In the Security tab in the child object's
  Properties dialog box, clear the Allow
  Inheritable Permissions From Parent To
  Propagate To This Object check box.
• 2.  Select the Copy option or the Remove
  option.
• Copy copies the previously inherited permissions
  to the object, which you can then modify
• Remove removes all previously inherited
  permissions, giving you a blank slate to assign
  any necessary permissions

13
Lesson Summary

• Every Active Directory object has a security
  descriptor that defines who has permission to
  access the object and what type of access is
  allowed.
• Use Active Directory Users And Computers to
  assign standard and special permissions for
  objects and object attributes.
• You can specify that the permissions be applied
  to this object only, or be applied to this object
  and all child objects.
• To prevent a child object from inheriting
  permissions from a parent object, clear the Allow
  Inheritable Permissions From Parent To Propagate
  To This Object check box in the child objects
  Properties dialog box.

14
Locating and Moving Active Directory Objects

• Active Directory stores information about objects
  on the network.
• Each object is a set of attributes that
  represents a specific network entity.
• You can move Active Directory objects from one
  location to another when organizational or
  administrative functions change.

15
The Most Common Active Directory Objects

• User
• Contact
• Group
• Shared folder
• Printer
• Computer
• Domain controller
• Organizational unit (OU)

16
Locating Active Directory Objects

• Active Directory maintains a Global Catalog of
  the entire directory. The Global Catalog
• Contains key information about every object in
  every domain
• Stores key attributes used for searching
• Any domain controller can be designated a Global
  Catalog server.
• You can run basic and advanced searches for
  Active Directory objects by using the Find dialog
  box in Active Directory Users And Computers.

17
The Find Users, Contacts, And Groups Dialog Box
18
The Advanced Search Interface
19
Condition Options in the Advanced Search
Interface
20
Moving Active Directory Objects

• You can move Active Directory objects.
• For example, to accommodate physical changes on
  the network or personnel changes between
  departments
• Objects can be moved to a new container, OU,
  domain, or site.
• You can move Active Directory objects within and
  between domains.
• You can move domain controllers between sites.

21
Moving Objects Within a Domain

• You can move Active Directory objects to
  different OUs or containers within a domain.
• To use Active Directory Users And Computers to
  move objects within a domain
• 1.  In the console tree, right-click the object
  you want to move, and then select Move.
• 2.  Select the OU or container you want to move
  the object to, and then click OK.

22
The Move Dialog Box
23
Conditions When Moving Objects Within a Domain

• When you move an object between OUs or containers
  within a domain
• Permissions that are assigned directly to the
  object remain in force after the object is moved
• The moved object no longer inherits permissions
  from its old OU or container instead, the object
  inherits permissions from its new parent OU or
  container
• You can move multiple objects at the same time

24
Moving Objects Between Domains

• You can use the Movetree command-line utility to
  move Active Directory objects between domains in
  a single forest, with some exceptions.
• Movetree is part of the Windows 2000 Support
  Tools, which can be installed from the Microsoft
  Windows 2000 Server CD-ROM.

25
Moving Objects Between Domains (Cont.)

• To move an existing object, you must make the
  object a child of an existing parent object that
  already resides in the new location.
• Movetree enables you to move an OU to another
  domain while keeping all of the linked group
  policy objects (GPOs) in the old domain intact.

26
Moving Domain Controllers Between Sites

• When you install the first domain controller in
  the forest, Windows 2000 automatically creates
  the Default-First-Site-Name site, and installs
  the domain controller in that site.
• You can use Active Directory Sites And Services
  to move domain controllers from one site to
  another.

27
The Move Server Dialog Box
28
Lesson Summary

• Use the Find dialog box in Active Directory Users
  And Computers to locate Active Directory objects.
• To move Active Directory objects to different
  locations in the same domain, use Active
  Directory Users And Computers.
• To move objects to a different domain, use the
  Movetree.exe command-line utility.
• To move a domain controller to a different site,
  use Active Directory Sites And Services.

29
Delegating Control

• You can delegate administrative control of Active
  Directory objects to individuals so they can
  perform administrative tasks on the objects.

30
Guidelines for Delegating Control

• You delegate administrative control of objects by
  assigning permissions to the objects to allow
  users or groups of users to administer the
  objects.
• An administrator can assign a user or group the
  permissions to
• Change the properties of a specific container
• Create, modify, or delete specified types of
  objects in a specific OU or container
• Modify specific properties of specified types of
  objects in a specific OU or container

31
Suggested Guidelines for Delegating
Administrative Control

• Assign control at the OU or container level
  whenever possible.
• This is the most common method of assigning
  administrative control.
• Use the Delegation Of Control Wizard.
• Track and record the delegation of permission
  assignments.
• Follow the business requirements of your
  organization.

32
The Delegation Of Control Wizard

• This wizard takes you through the process of
  assigning permissions at the OU or container
  level.
• To start the wizard
• 1. Open Active Directory Users And Computers.
• 2. Right-click the container or OU for which
  you want to delegate control, and then select
  Delegate Control.

33
The Select Users, Computers, Or Groups Dialog Box
34
The Tasks To Delegate Page
35
Lesson Summary

• You can delegate administrative control of
  objects to individuals so they can perform
  administrative tasks on the objects.
• Assign permissions at the OU or container level
  whenever possible.
• Use the Delegation Of Control Wizard to grant
  users or groups control of specific object types
  in an OU or container.

36
Active Directory Troubleshooting Scenarios

• Symptom Cannot add or remove a domain
• Cause The domain naming master is not available.
• Solution Resolve the network connectivity
  problem or repair or replace the domain naming
  master computer.
• It might be necessary to seize the domain naming
  master role.

37
Active Directory Troubleshooting Scenarios
(Cont.)

• Symptom Cannot create objects in Active
  Directory
• Cause The relative ID master is not available.
• Solution Resolve the network connectivity
  problem or repair or replace the computer holding
  the relative ID master role.
• It might be necessary to seize the relative ID
  master role.

38
Active Directory Troubleshooting Scenarios
(Cont.)

• Symptom Cannot modify the schema
• Cause The schema master is not available.
• Solution Resolve the network connectivity
  problem or repair or replace the computer holding
  the schema master role.
• It might be necessary to seize the schema master
  role.

39
Active Directory Troubleshooting Scenarios
(Cont.)

• Symptom Changes to group memberships are not
  taking effect.
• Cause The infrastructure master is not
  available.
• Solution Resolve the network connectivity
  problem or repair or replace the computer holding
  the infrastructure master role.
• It might be necessary to seize the infrastructure
  master role.

40
Active Directory Troubleshooting Scenarios
(Cont.)

• Symptom Clients without Active Directory client
  software installed cannot log on.
• Cause The primary domain controller emulator is
  not available.
• Solution Resolve the network connectivity
  problem or repair or replace the computer holding
  the primary domain controller emulator role.
• It might be necessary to seize the primary domain
  controller emulator role.

41
Active Directory Troubleshooting Scenarios
(Cont.)

• Symptom Clients cannot access resources in
  another domain.
• Cause A failure of the trust between the domains
  has occurred.
• Solution Reset and verify the trust between the
  domains.
• The primary domain controller emulator must be
  available for a trust to be successfully reset.

42
Lesson Summary

• The domain naming master is needed to add or
  remove Active Directory domains.
• The relative ID master is needed to create new
  objects in Active Directory.
• The schema master is needed to modify the Active
  Directory schema.
• The infrastructure master is needed to change
  group memberships.
• The primary domain controller emulator is needed
  to log on to computers not running Active
  Directory client software.