Active Directory Design and Security Concepts - MCTS Guide to Microsoft Windows Server 2008 Active Directory Configuration

Information Technology Reference

In-Depth Information

6. Click the Create a custom task to delegate option button, and then click Next .

7. Click the This folder, existing objects in this folder, and creation of new objects in this folder

option button, and then click Next .

8. Click the Full Control check box in the Permissions list box. Click Next , and then click Finish .

9. Right-click TestOU1 and click Properties . Click the Security tab, and then click the Jr Admin

ACE. Verify that the Full control check box in the Allow column is selected.

10. Click the Advanced button. Click the Effective Permissions tab, and then click the Select button.

11. Type jradmin , and then click OK . The effective permissions for jradmin are less than Full

control because the Everyone group has a Deny Delete permission for this OU. The Deny

Delete permission is added to every new OU by default and can be removed by clearing the

Protect object from accidental deletion check box in the Object tab. Click OK twice.

12. Log off and log on as jradmin . Open Active Directory Users and Computers. If you see the

UAC prompt to enter your password, enter Password01 , and then click OK .

13. Create an OU named TestOU1-L2 under TestOU1 and an OU named TestOU1-L3 under

TestOU1-L2 so that the OU structure looks like Figure 4-8.

4

TestOU1

TestOU1-L2

TestOU1-L3

Figure 4-8

The Test OU structure

14. In the TestOU1 container, create a user named jrtest1 . Create a global security group called

jrgroup1 in TestOU1, and add jrtest1 as a member of this group.

15. Click View ,

Advanced Features

from the menu. Right-click TestOU1-L2

and click

Properties .

16. Click the Security tab, and then click the Advanced button. In the Advanced Security Settings

dialog box, click the Owner tab. Note that jradmin is the owner of this OU because the

jradmin user created the OU. Click OK .

17. Click the Add button. Type jrgroup1 , and then click OK . By default, the ACE for jrgroup1

has the Allow Read permission.

18. Click jrgroup1 in the Group or user names list box, and then click the Write and Create all

child objects check boxes in the Allow column. Click to clear the Read check box in the

Allow column, and then click Apply .

19. Click the Advanced button, and then click the Effective Permissions tab. Click the Select

button, type jrtest1 , and then click OK . In the Effective permissions list box, note that jrtest1

gets the Write and Create objects permissions because jrtest1 is a member of jrgroup1. As a

member of the special group Authenticated Users (discussed in Chapter 5), jrtest1 also gets

the Read permission. Click OK .

20. Click the Add button. Type jrtest1 , and then click OK .

21. Click jrtest1 in the Group or user names list box, and then click the Write check box in the

Deny column. Click to clear the Read check box in the Allow column, and then click Apply .

MCTS Guide to Microsoft Windows Server 2008 Active Directory Configuration

Search WWH ::

Custom Search

Home