Information Technology Reference
In-Depth Information
6. Click the Security tab. Scroll through the list of group and user names so that you know
what ACEs are in the DACL. Click each ACE to view its permission settings in the bottom
section.
7. Click the Joe Tech1 ACE, and scroll the permissions list at the bottom. Note that the Allow
Special permissions check box is selected.
8. Click the Advanced button to open the Advanced Security Settings for Marketing dialog box
(see Figure 4-5).
Figure 4-5
An OU's Advanced Security Settings dialog box
9. Double-click the first Joe Tech1 entry. The Create User objects and Delete User objects check
boxes are selected in the Allow column, so Joe Tech1 has permission to create and delete
users in the Marketing OU. The “This object and all descendant objects” option in the Apply
to list means Joe Tech1 can create and delete users in any OUs under Marketing.
The term “descendant” means that all objects underneath the object are
also affected by the permission settings.
10. Click Cancel , and then double-click the next Joe Tech1 entry. Note that all check boxes in
the Allow column of the permissions list are selected. In addition, the Descendant User
objects option is selected in the Apply to list, which means Joe Tech1 has all permissions for
all new and existing user objects in the Marketing OU.
11. Click Cancel three times, until only the Active Directory Users and Computers window is
open. Leave this window open for the next activity.
Effective Permissions As discussed, effective permissions for an object are a combina-
tion of the allowed and denied permissions assigned to a security principal. These permissions
can come from assignments made directly to a user account or to a group the user belongs to.
Before examining the nuances of object permissions, take a look at some examples of how to
determine a user's effective permissions for an object. Table 4-1 lists two groups with the group
members, and Table 4-2 lists the ACEs for an OU.
 
Search WWH ::




Custom Search