Information Technology Reference
In-Depth Information
22. Click the
Advanced
button, and then click the
Effective Permissions
tab. Click the
Select
button, type
jrtest1
, and then click
OK
. Scan the Effective permissions list. Note that jrtest1
no longer has the Write permission because you applied the Deny permission. Click
OK
twice.
23. Right-click the
TestOU1-L3
OU and click
Properties
. Click the
Security
tab.
24. Scroll through the Group or user names list box. There are no entries for jrtest1 and jrgroup1
because when you add an ACE to a DACL manually, the default inheritance setting is for the
ACE to apply to “This object only.” This setting can be changed, however. Click
Cancel
.
25. Click
TestOU1-L2
to select it, and then open its Properties dialog box. Click the
Security
tab, and then click the
Advanced
button. Double-click the
jrtest1
entry. In the Apply to list,
change the setting to
This object and all descendant objects
, and then click
OK
. Double-click
the
jrgroup1
entry. In the Apply to list, change the setting to
This object and all descendant
objects
, and then click
OK
. Click
OK
twice.
26. Right-click the
TestOU1-L3
OU and click
Properties
. Click the
Security
tab. Notice that
there are entries for jrtest1 and jrgroup1 now. Click the
Advanced
button. Click the
Effective
Permissions
tab, and then click
Select
. Type
jrtest1
, and then click
OK
. Note that jrtest1's
permissions are the same as for the TestOU1-L2 OU. Click
OK
.
27. Click
jrtest1
in the Group or user names list box, and then click the
Write
check box in the
Allow column. The Write check box in the Deny column is disabled because the permission
was inherited. Click
Apply
, and then click the
Advanced
button.
28. Click the
Effective Permissions
tab, and then click
Select
. Type
jrtest1
, and then click
OK
.
The Write check box is selected now because the explicit Allow Write permission you added
overrides the inherited Deny Write permission. Click
OK
twice.
29. Close Active Directory Users and Computers and log off.
In the day-to-day administration of an Active Directory domain, most administrators focus on
OUs and their child objects. In a small organization, a solid understanding of OUs and leaf
objects might be all that's needed to manage a Windows domain successfully. However, in large
organizations, building an Active Directory structure composed of several domains, multiple
trees, and even a few forests might be necessary.
When the first domain controller is installed in a network, the structure you see in Active
Directory Users and Computers—a domain object and some folder and OU containers—isn't all
that's created. In addition, the root of a new tree and the root of a new forest are created, along
with elements that define a new site. As a business grows or converts an existing network struc-
ture to Active Directory, there might be reasons to add domains to the tree, create new trees or
forests, and add sites to the Active Directory structure. This section starts by describing some
helpful terms for understanding how Active Directory operates and is organized. Next, the
forest's role in Active Directory is explained, along with using multiple forests in an Active
Directory structure. Then you examine trust relationships and domains, particularly situations
involving multiple domains and multiple trees.
A number of terms are used to describe Active Directory's structure and operations. In the fol-
lowing sections, you examine terms associated with directory partitions, operations masters,
replication, and trust relationships.
Directory Partitions
An Active Directory database has many sections stored in the same
file on a domain controller's hard drive. These sections must be managed by different processes
and replicated to other domain controllers in an Active Directory network. Each section of an
Active Directory database is referred to as a
directory partition
. There are five directory parti-
tion types in the Active Directory database:
•
Domain directory partition
—Contains all objects in a domain, including users, groups,
computers, OUs, and so forth. There's one
domain directory partition
for each domain in
Search WWH ::
Custom Search