Information Technology Reference
In-Depth Information
After you have delegated control to a user, there's no clear indication that this change has
been made. By default, the OU's properties don't show that another user has been delegated con-
trol. To verify who has been delegated control of an OU, you must view the OU's permissions,
as explained in the following section.
Three types of objects can be assigned permission to access an Active Directory object: users,
groups, and computers. These object types are referred to as
security principals
. An Active
Directory object's security settings are composed of three components collectively referred to as
the object's security descriptor:
•
Discretionary access control list (DACL)
—A list of security principals, with each
having a set of permissions that define access to the object. Each entry in the DACL
is referred to as an access control entry (ACE). If a security principal or a group the
security principal belongs to isn't in the DACL, the security principal has no access
to the object.
•
Object owner—
Usually the user account that created the object or a group or user who
has been assigned ownership of the object. An object owner has special authority over that
object. Most notably, even if the owner isn't in the object's DACL, the owner can still
assign permissions to the object.
•
System access control list (SACL)
—Defines the settings for auditing access to an object.
4
A fourth component of the security descriptor is the primary group, which
has importance only for POSIX compatibility.
Every Active Directory object has a list of standard permissions and a list of special permis-
sions that can be assigned to a security principal. For simplicity's sake, the term “users” is used
when discussing permissions, but keep in mind that permissions can be assigned to any of the
three security principals: users, groups, and computers. Each permission can be set to Allow or
Deny, and five standard permissions are available for most objects:
•
Full control
—Users can perform all actions granted by all the standard permissions,
change permissions, and take ownership of the object.
•
Read
—Users can view objects and their attributes and permissions.
•
Write
—Users can change the object's attributes.
•
Create all child objects
—Users can create new child objects in the parent object.
•
Delete all child objects
—Users can delete child objects in the parent object.
Permissions and permission inheritance for Active Directory objects
work almost identically to NTFS file and folder permissions, discussed in
Chapter 6.
In addition, different object types have other standard and special permissions. For exam-
ple, a user object has the Reset password and Read logon information permissions; an OU object
has the Create Account objects and Create Printer objects permissions.
Users can be assigned permission to an object in three different ways:
• The user's account is added to the object's DACL. This method is referred to as an explicit
permission.
• A group the user belongs to is added to the object's DACL.
• The permission is inherited from a parent object's DACL to which the user or group
account has been added.
Search WWH ::
Custom Search