Information Technology Reference
In-Depth Information
6. Click the
Security
tab. Scroll through the list of group and user names so that you know
what ACEs are in the DACL. Click each ACE to view its permission settings in the bottom
section.
7. Click the
Joe Tech1
ACE, and scroll the permissions list at the bottom. Note that the Allow
Special permissions check box is selected.
8. Click the
Advanced
button to open the Advanced Security Settings for Marketing dialog box
(see Figure 4-5).
Figure 4-5
An OU's Advanced Security Settings dialog box
9. Double-click the first
Joe Tech1
entry. The Create User objects and Delete User objects check
boxes are selected in the Allow column, so Joe Tech1 has permission to create and delete
users in the Marketing OU. The “This object and all descendant objects” option in the Apply
to list means Joe Tech1 can create and delete users in any OUs under Marketing.
The term “descendant” means that all objects underneath the object are
also affected by the permission settings.
10. Click
Cancel
, and then double-click the next
Joe Tech1
entry. Note that all check boxes in
the Allow column of the permissions list are selected. In addition, the Descendant User
objects option is selected in the Apply to list, which means Joe Tech1 has all permissions for
all new and existing user objects in the Marketing OU.
11. Click
Cancel
three times, until only the Active Directory Users and Computers window is
open. Leave this window open for the next activity.
Effective Permissions
As discussed, effective permissions for an object are a combina-
tion of the allowed and denied permissions assigned to a security principal. These permissions
can come from assignments made directly to a user account or to a group the user belongs to.
Before examining the nuances of object permissions, take a look at some examples of how to
determine a user's effective permissions for an object. Table 4-1 lists two groups with the group
members, and Table 4-2 lists the ACEs for an OU.
Search WWH ::
Custom Search