Title: Chapter Overview
1Chapter Overview
- Managing Object and Container Permissions
- Locating and Moving Active Directory Objects
- Delegating Control
- Troubleshooting Active Directory Service
2Managing Object and Container Permissions
- Microsoft Windows 2000 uses an object-based
security model to implement access control for
all Active Directory objects. - Every Active Directory object has a security
descriptor that defines - Who has permissions to access the object
- What type of access is allowed
3Understanding Active Directory Permissions
- Active Directory permissions let you control
- Who can access individual objects and object
attributes - The type of access allowed
- Either an administrator or the object's owner
must assign permissions to the object before
users can access the object. - Windows 2000 stores a list of user permissions,
called the access control list (ACL), in every
Active Directory object. - You can use permissions to grant administrative
privileges to a specific user or group for an
organizational unit (OU), a hierarchy of OUs, or
a single object, without assigning them
administrative permissions for other Active
Directory objects.
4Object Permissions
- The permissions you can grant for an object vary,
depending on the object type. - When you assign permission to a user who is a
member of a group that has different permissions,
the user's effective permission is the
combination of the user and group permissions. - For example, Read Write Read and Write
5Object Permissions (Cont.)
- You can allow or deny permissions to Active
Directory objects, like you can for NT file
system (NTFS) and share permissions. - Denied permissions take precedence over assigned
permissions. - Deny permissions only when absolutely necessary.
- Ensure that every Active Directory object has at
least one user with the Full Control permission.
6Standard Permissions and Special Permissions
- You can set standard and special permissions for
Active Directory objects. - Standard permissions
- Are the most frequently used combinations of
special permissions - Simplify the task of controlling access to the
Active Directory service - Special permissions provide a finer degree of
access control.
7Standard Permissions
Object Permission Enables the user to
Full Control Change permissions, take ownership, and perform tasks allowed by all other standard permissions
Read View objects and object attributes, the object owner, and Active Directory permissions
Write Change object attributes
Create All Child Objects Add any type of child object to an OU
Delete All Child Objects Remove any type of object from an OU
8Assigning Active Directory Permissions
- You use Active Directory Users And Computers to
set standard permissions for objects and object
attributes. - You assign standard permissions in the Security
tab of an object's Properties dialog box. - If check boxes in the Permissions list of the
Properties dialog box are shaded, the object has
inherited permissions from a parent object. - Standard permissions are usually sufficient for
most administrative tasks.
9The Permission Entry For Users Dialog Box
10Assigning Special Permissions for an Active
Directory Object
- To assign special permissions for an Active
Directory object - 1. Open the Properties dialog box for the
object, click the Security tab, and then click
Advanced. - 2. In the Permissions tab, select an entry to
view or edit, and then click View/Edit. - 3. In the Object tab in the Permission Entry For
Users dialog box, change permissions as needed,
and then click OK.
11Using Permissions Inheritance
- When you assign permissions to Active Directory
objects, you can specify that the permissions be
applied to this object only or to this object and
all child objects. - For example, you can grant a group the Full
Control permission for an OU that contains
printers, and specify that the permission be
applied to this object and all child objects. - In this case, all of the group's members can
administer all of the printers in the OU.
12Using Permissions Inheritance (Cont.)
- To prevent a child object from inheriting
permissions from a parent object - 1. In the Security tab in the child object's
Properties dialog box, clear the Allow
Inheritable Permissions From Parent To
Propagate To This Object check box. - 2. Select the Copy option or the Remove
option. - Copy copies the previously inherited permissions
to the object, which you can then modify - Remove removes all previously inherited
permissions, giving you a blank slate to assign
any necessary permissions
13Lesson Summary
- Every Active Directory object has a security
descriptor that defines who has permission to
access the object and what type of access is
allowed. - Use Active Directory Users And Computers to
assign standard and special permissions for
objects and object attributes. - You can specify that the permissions be applied
to this object only, or be applied to this object
and all child objects. - To prevent a child object from inheriting
permissions from a parent object, clear the Allow
Inheritable Permissions From Parent To Propagate
To This Object check box in the child objects
Properties dialog box.
14Locating and Moving Active Directory Objects
- Active Directory stores information about objects
on the network. - Each object is a set of attributes that
represents a specific network entity. - You can move Active Directory objects from one
location to another when organizational or
administrative functions change.
15The Most Common Active Directory Objects
- User
- Contact
- Group
- Shared folder
- Printer
- Computer
- Domain controller
- Organizational unit (OU)
16Locating Active Directory Objects
- Active Directory maintains a Global Catalog of
the entire directory. The Global Catalog - Contains key information about every object in
every domain - Stores key attributes used for searching
- Any domain controller can be designated a Global
Catalog server. - You can run basic and advanced searches for
Active Directory objects by using the Find dialog
box in Active Directory Users And Computers.
17The Find Users, Contacts, And Groups Dialog Box
18The Advanced Search Interface
19Condition Options in the Advanced Search
Interface
20Moving Active Directory Objects
- You can move Active Directory objects.
- For example, to accommodate physical changes on
the network or personnel changes between
departments - Objects can be moved to a new container, OU,
domain, or site. - You can move Active Directory objects within and
between domains. - You can move domain controllers between sites.
21Moving Objects Within a Domain
- You can move Active Directory objects to
different OUs or containers within a domain. - To use Active Directory Users And Computers to
move objects within a domain - 1. In the console tree, right-click the object
you want to move, and then select Move. - 2. Select the OU or container you want to move
the object to, and then click OK.
22The Move Dialog Box
23Conditions When Moving Objects Within a Domain
- When you move an object between OUs or containers
within a domain - Permissions that are assigned directly to the
object remain in force after the object is moved - The moved object no longer inherits permissions
from its old OU or container instead, the object
inherits permissions from its new parent OU or
container - You can move multiple objects at the same time
24Moving Objects Between Domains
- You can use the Movetree command-line utility to
move Active Directory objects between domains in
a single forest, with some exceptions. - Movetree is part of the Windows 2000 Support
Tools, which can be installed from the Microsoft
Windows 2000 Server CD-ROM.
25Moving Objects Between Domains (Cont.)
- To move an existing object, you must make the
object a child of an existing parent object that
already resides in the new location. - Movetree enables you to move an OU to another
domain while keeping all of the linked group
policy objects (GPOs) in the old domain intact.
26Moving Domain Controllers Between Sites
- When you install the first domain controller in
the forest, Windows 2000 automatically creates
the Default-First-Site-Name site, and installs
the domain controller in that site. - You can use Active Directory Sites And Services
to move domain controllers from one site to
another.
27The Move Server Dialog Box
28Lesson Summary
- Use the Find dialog box in Active Directory Users
And Computers to locate Active Directory objects. - To move Active Directory objects to different
locations in the same domain, use Active
Directory Users And Computers. - To move objects to a different domain, use the
Movetree.exe command-line utility. - To move a domain controller to a different site,
use Active Directory Sites And Services.
29Delegating Control
- You can delegate administrative control of Active
Directory objects to individuals so they can
perform administrative tasks on the objects.
30Guidelines for Delegating Control
- You delegate administrative control of objects by
assigning permissions to the objects to allow
users or groups of users to administer the
objects. - An administrator can assign a user or group the
permissions to - Change the properties of a specific container
- Create, modify, or delete specified types of
objects in a specific OU or container - Modify specific properties of specified types of
objects in a specific OU or container
31Suggested Guidelines for Delegating
Administrative Control
- Assign control at the OU or container level
whenever possible. - This is the most common method of assigning
administrative control. - Use the Delegation Of Control Wizard.
- Track and record the delegation of permission
assignments. - Follow the business requirements of your
organization.
32The Delegation Of Control Wizard
- This wizard takes you through the process of
assigning permissions at the OU or container
level. - To start the wizard
- 1. Open Active Directory Users And Computers.
- 2. Right-click the container or OU for which
you want to delegate control, and then select
Delegate Control.
33The Select Users, Computers, Or Groups Dialog Box
34The Tasks To Delegate Page
35Lesson Summary
- You can delegate administrative control of
objects to individuals so they can perform
administrative tasks on the objects. - Assign permissions at the OU or container level
whenever possible. - Use the Delegation Of Control Wizard to grant
users or groups control of specific object types
in an OU or container.
36Active Directory Troubleshooting Scenarios
- Symptom Cannot add or remove a domain
- Cause The domain naming master is not available.
- Solution Resolve the network connectivity
problem or repair or replace the domain naming
master computer. - It might be necessary to seize the domain naming
master role.
37Active Directory Troubleshooting Scenarios
(Cont.)
- Symptom Cannot create objects in Active
Directory - Cause The relative ID master is not available.
- Solution Resolve the network connectivity
problem or repair or replace the computer holding
the relative ID master role. - It might be necessary to seize the relative ID
master role.
38Active Directory Troubleshooting Scenarios
(Cont.)
- Symptom Cannot modify the schema
- Cause The schema master is not available.
- Solution Resolve the network connectivity
problem or repair or replace the computer holding
the schema master role. - It might be necessary to seize the schema master
role.
39Active Directory Troubleshooting Scenarios
(Cont.)
- Symptom Changes to group memberships are not
taking effect. - Cause The infrastructure master is not
available. - Solution Resolve the network connectivity
problem or repair or replace the computer holding
the infrastructure master role. - It might be necessary to seize the infrastructure
master role.
40Active Directory Troubleshooting Scenarios
(Cont.)
- Symptom Clients without Active Directory client
software installed cannot log on. - Cause The primary domain controller emulator is
not available. - Solution Resolve the network connectivity
problem or repair or replace the computer holding
the primary domain controller emulator role. - It might be necessary to seize the primary domain
controller emulator role.
41Active Directory Troubleshooting Scenarios
(Cont.)
- Symptom Clients cannot access resources in
another domain. - Cause A failure of the trust between the domains
has occurred. - Solution Reset and verify the trust between the
domains. - The primary domain controller emulator must be
available for a trust to be successfully reset.
42Lesson Summary
- The domain naming master is needed to add or
remove Active Directory domains. - The relative ID master is needed to create new
objects in Active Directory. - The schema master is needed to modify the Active
Directory schema. - The infrastructure master is needed to change
group memberships. - The primary domain controller emulator is needed
to log on to computers not running Active
Directory client software.