Module 5: Managing Access to Objects in Organizational Units

1
Module 5 Managing Access to Objects in
Organizational Units
2
Overview

• Modifying Permissions for Active Directory
  Objects
• Delegating Control of Organizational Units

3
Lesson Modifying Permissions for Active
Directory Objects

• What Are Active Directory Object Permissions?
• Characteristics of Active Directory Object
  Permissions
• Permissions Inheritance for Active Directory
  Object Permissions
• Effects of Moving Objects on Permissions
  Inheritance
• What Are Effective Permissions for Active
  Directory Objects?
• Practice Modifying Permissions for Active
  Directory Objects

4
What Are Active Directory Object Permissions?
Permission Allows the user to
Full Control Change permissions, take ownership, and perform the tasks that are allowed by all other standard permissions
Write Change object attributes
Read View objects, object attributes, the object owner, and Active Directory permissions
Create All Child Objects Add any type of object to an organizational unit
Delete All Child Objects Remove any type of child object from an organizational unit
5
Characteristics of Active Directory Object
Permissions

• Active Directory object permissions can be
• Allowed or denied
• Implicitly or explicitly denied
• Set as standard or special permissions
• Standard permissions are the most frequently
  assigned permissions
• Special permissions provide a finer degree of
  control for assigning access to objects
• Set at the object level or inherited from its
  parent object

6
Permissions Inheritance for Active Directory
Object Permissions

• Child containers inherit permissions set on a
  parent container
• Inheritable permissions propagate from parent to
  child when
• A child object is created
• The permissions on the parent object are modified
• Inheritance can be blocked

Permission Inherited by Child Containers
Permissions
Parent Container
Access
Permissions
Child Container
7
Effects of Moving Objects on Permissions
Inheritance

• Explicit permissions set on an object remain the
  same if an object is moved
• Moved objects inherit permissions from the new
  parent organizational unit
• Moved objects no longer inherit permissions from
  the previous parent organizational unit

8
What Are Effective Permissions for Active
Directory Objects?

• Permissions are cumulative
• Deny permissions override all other permissions
• Object owners can always change permissions
• Retrieving effective permissions

9
Practice Modifying Permissions for Active
Directory Objects

• In this practice, you will
• Create a new organizational unit and document the
  permissions
• Remove the inherited permissions and document the
  new permissions
• Manually assign Full Control to a user account
  and create a new object
• Test the permissions
• Examine effective permissions

10
Lesson Delegating Control of Organizational Units

• What Is Delegation of Control of an
  Organizational Unit?
• The Delegation of Control Wizard
• Modifying the Delegation of Control Wizard
• Custom Management Consoles and Taskpads
• Practice Delegating Control of an Organizational
  Unit

11
What Is Delegation of Control of an
Organizational Unit?

• Assigning management of an organizational unit to
  another user or group

• Delegated administration
• Eases administration by distributing routine
  administrative tasks
• Provides users or groups more control over local
  network resources
• Eliminates the need for multiple administrative
  accounts

Admin1
Domain
Admin3
Admin2
12
The Delegation of Control Wizard

• Use the Delegation of Control Wizard to specify
• The user or group to which you want to delegate
  control
• The organizational units and objects that you
  want to grant the user or group the permission to
  control
• The tasks that you want the user or group to be
  able to perform
• The Delegation of Control Wizard automatically
  assigns to users the appropriate permissions

13
Modifying the Delegation of Control Wizard

• The list of common tasks in the Delegation Wizard
  is controlled by templates in the delegwiz.ini
  file
• You can modify the list of common tasks by
  modifying the delegwiz.ini file to include other
  templates

14
Custom Management Consoles and Taskpads

• Custom management consoles or taskpads can be
  used to provide the tools for delegated users to
  perform their tasks

15
Practice Delegating Control of an Organizational
Unit

• In this practice, you will
• Delegate control of the sales users to Don Hall
  and the sales computers to Judy Lew
• Examine the permissions assigned by the
  Delegation of Control Wizard
• Test the delegated permissions for the Sales
  organizational unit

16
Lab Managing Access to Objects in Organizational
Units

• In this lab, you will
• Modify the Delegation of Control Wizard and
  delegate permissions
• Test the delegated permissions
• Delegate permissions in the Legal organizational
  unit and create a taskpad
• Test the delegated permissions