Download presentation
Presentation is loading. Please wait.
Published byCassandra Knight Modified over 9 years ago
1
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory Service
2
2 Managing Object and Container Permissions Microsoft Windows 2000 uses an object- based security model to implement access control for all Active Directory objects. Every Active Directory object has a security descriptor that defines Who has permissions to access the object What type of access is allowed
3
3 Understanding Active Directory Permissions Active Directory permissions let you control Who can access individual objects and object attributes The type of access allowed Either an administrator or the object's owner must assign permissions to the object before users can access the object. Windows 2000 stores a list of user permissions, called the access control list (ACL), in every Active Directory object. You can use permissions to grant administrative privileges to a specific user or group for an organizational unit (OU), a hierarchy of OUs, or a single object, without assigning them administrative permissions for other Active Directory objects.
4
4 Object Permissions The permissions you can grant for an object vary, depending on the object type. When you assign permission to a user who is a member of a group that has different permissions, the user's effective permission is the combination of the user and group permissions. For example, Read + Write = Read and Write
5
5 Object Permissions (Cont.) You can allow or deny permissions to Active Directory objects, like you can for NT file system (NTFS) and share permissions. Denied permissions take precedence over assigned permissions. Deny permissions only when absolutely necessary. Ensure that every Active Directory object has at least one user with the Full Control permission.
6
6 Standard Permissions and Special Permissions You can set standard and special permissions for Active Directory objects. Standard permissions Are the most frequently used combinations of special permissions Simplify the task of controlling access to the Active Directory service Special permissions provide a finer degree of access control.
7
7 Standard Permissions Object PermissionEnables the user to Full ControlChange permissions, take ownership, and perform tasks allowed by all other standard permissions ReadView objects and object attributes, the object owner, and Active Directory permissions WriteChange object attributes Create All Child Objects Add any type of child object to an OU Delete All Child Objects Remove any type of object from an OU
8
8 Assigning Active Directory Permissions You use Active Directory Users And Computers to set standard permissions for objects and object attributes. You assign standard permissions in the Security tab of an object's Properties dialog box. If check boxes in the Permissions list of the Properties dialog box are shaded, the object has inherited permissions from a parent object. Standard permissions are usually sufficient for most administrative tasks.
9
9 The Permission Entry For Users Dialog Box
10
10 Assigning Special Permissions for an Active Directory Object To assign special permissions for an Active Directory object: 1. Open the Properties dialog box for the object, click the Security tab, and then click Advanced. 2. In the Permissions tab, select an entry to view or edit, and then click View/Edit. 3. In the Object tab in the Permission Entry For Users dialog box, change permissions as needed, and then click OK.
11
11 Using Permissions Inheritance When you assign permissions to Active Directory objects, you can specify that the permissions be applied to this object only or to this object and all child objects. For example, you can grant a group the Full Control permission for an OU that contains printers, and specify that the permission be applied to this object and all child objects. In this case, all of the group's members can administer all of the printers in the OU.
12
12 Using Permissions Inheritance (Cont.) To prevent a child object from inheriting permissions from a parent object: 1. In the Security tab in the child object's Properties dialog box, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box. 2. Select the Copy option or the Remove option. Copy: copies the previously inherited permissions to the object, which you can then modify Remove: removes all previously inherited permissions, giving you a blank slate to assign any necessary permissions
13
13 Lesson Summary Every Active Directory object has a security descriptor that defines who has permission to access the object and what type of access is allowed. Use Active Directory Users And Computers to assign standard and special permissions for objects and object attributes. You can specify that the permissions be applied to this object only, or be applied to this object and all child objects. To prevent a child object from inheriting permissions from a parent object, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box in the child object’s Properties dialog box.
14
14 Locating and Moving Active Directory Objects Active Directory stores information about objects on the network. Each object is a set of attributes that represents a specific network entity. You can move Active Directory objects from one location to another when organizational or administrative functions change.
15
15 The Most Common Active Directory Objects User Contact Group Shared folder Printer Computer Domain controller Organizational unit (OU)
16
16 Locating Active Directory Objects Active Directory maintains a Global Catalog of the entire directory. The Global Catalog Contains key information about every object in every domain Stores key attributes used for searching Any domain controller can be designated a Global Catalog server. You can run basic and advanced searches for Active Directory objects by using the Find dialog box in Active Directory Users And Computers.
17
17 The Find Users, Contacts, And Groups Dialog Box
18
18 The Advanced Search Interface
19
19 Condition Options in the Advanced Search Interface
20
20 Moving Active Directory Objects You can move Active Directory objects. For example, to accommodate physical changes on the network or personnel changes between departments Objects can be moved to a new container, OU, domain, or site. You can move Active Directory objects within and between domains. You can move domain controllers between sites.
21
21 Moving Objects Within a Domain You can move Active Directory objects to different OUs or containers within a domain. To use Active Directory Users And Computers to move objects within a domain: 1. In the console tree, right-click the object you want to move, and then select Move. 2. Select the OU or container you want to move the object to, and then click OK.
22
22 The Move Dialog Box
23
23 Conditions When Moving Objects Within a Domain When you move an object between OUs or containers within a domain Permissions that are assigned directly to the object remain in force after the object is moved The moved object no longer inherits permissions from its old OU or container; instead, the object inherits permissions from its new parent OU or container You can move multiple objects at the same time
24
24 Moving Objects Between Domains You can use the Movetree command-line utility to move Active Directory objects between domains in a single forest, with some exceptions. Movetree is part of the Windows 2000 Support Tools, which can be installed from the Microsoft Windows 2000 Server CD-ROM.
25
25 Moving Objects Between Domains (Cont.) To move an existing object, you must make the object a child of an existing parent object that already resides in the new location. Movetree enables you to move an OU to another domain while keeping all of the linked group policy objects (GPOs) in the old domain intact.
26
26 Moving Domain Controllers Between Sites When you install the first domain controller in the forest, Windows 2000 automatically creates the Default-First-Site-Name site, and installs the domain controller in that site. You can use Active Directory Sites And Services to move domain controllers from one site to another.
27
27 The Move Server Dialog Box
28
28 Lesson Summary Use the Find dialog box in Active Directory Users And Computers to locate Active Directory objects. To move Active Directory objects to different locations in the same domain, use Active Directory Users And Computers. To move objects to a different domain, use the Movetree.exe command-line utility. To move a domain controller to a different site, use Active Directory Sites And Services.
29
29 Delegating Control You can delegate administrative control of Active Directory objects to individuals so they can perform administrative tasks on the objects.
30
30 Guidelines for Delegating Control You delegate administrative control of objects by assigning permissions to the objects to allow users or groups of users to administer the objects. An administrator can assign a user or group the permissions to Change the properties of a specific container Create, modify, or delete specified types of objects in a specific OU or container Modify specific properties of specified types of objects in a specific OU or container
31
31 Suggested Guidelines for Delegating Administrative Control Assign control at the OU or container level whenever possible. This is the most common method of assigning administrative control. Use the Delegation Of Control Wizard. Track and record the delegation of permission assignments. Follow the business requirements of your organization.
32
32 The Delegation Of Control Wizard This wizard takes you through the process of assigning permissions at the OU or container level. To start the wizard: 1. Open Active Directory Users And Computers. 2. Right-click the container or OU for which you want to delegate control, and then select Delegate Control.
33
33 The Select Users, Computers, Or Groups Dialog Box
34
34 The Tasks To Delegate Page
35
35 Lesson Summary You can delegate administrative control of objects to individuals so they can perform administrative tasks on the objects. Assign permissions at the OU or container level whenever possible. Use the Delegation Of Control Wizard to grant users or groups control of specific object types in an OU or container.
36
36 Active Directory Troubleshooting Scenarios Symptom: Cannot add or remove a domain Cause: The domain naming master is not available. Solution: Resolve the network connectivity problem or repair or replace the domain naming master computer. It might be necessary to seize the domain naming master role.
37
37 Active Directory Troubleshooting Scenarios (Cont.) Symptom: Cannot create objects in Active Directory Cause: The relative ID master is not available. Solution: Resolve the network connectivity problem or repair or replace the computer holding the relative ID master role. It might be necessary to seize the relative ID master role.
38
38 Active Directory Troubleshooting Scenarios (Cont.) Symptom: Cannot modify the schema Cause: The schema master is not available. Solution: Resolve the network connectivity problem or repair or replace the computer holding the schema master role. It might be necessary to seize the schema master role.
39
39 Active Directory Troubleshooting Scenarios (Cont.) Symptom: Changes to group memberships are not taking effect. Cause: The infrastructure master is not available. Solution: Resolve the network connectivity problem or repair or replace the computer holding the infrastructure master role. It might be necessary to seize the infrastructure master role.
40
40 Active Directory Troubleshooting Scenarios (Cont.) Symptom: Clients without Active Directory client software installed cannot log on. Cause: The primary domain controller emulator is not available. Solution: Resolve the network connectivity problem or repair or replace the computer holding the primary domain controller emulator role. It might be necessary to seize the primary domain controller emulator role.
41
41 Active Directory Troubleshooting Scenarios (Cont.) Symptom: Clients cannot access resources in another domain. Cause: A failure of the trust between the domains has occurred. Solution: Reset and verify the trust between the domains. The primary domain controller emulator must be available for a trust to be successfully reset.
42
42 Lesson Summary The domain naming master is needed to add or remove Active Directory domains. The relative ID master is needed to create new objects in Active Directory. The schema master is needed to modify the Active Directory schema. The infrastructure master is needed to change group memberships. The primary domain controller emulator is needed to log on to computers not running Active Directory client software.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.