How Active Directory Object Permissions Can Aid Security
To understand how Active Directory object permissions can aide security, you can study the effect of MCSE 2003 exams object permission changes on an OU object. OUs contain user and computer accounts, among other objects, and any permissions set on OUs can affect the management and security of the computer accounts and user accounts that reside in the OU. Examining the available permissions can help you determine how to design a permission infrastructure that will do the best job at increasing security. Open the Security Property page (shown in Figure 9-13) of any OU object in Active Directory Users and Computers. As it does for files and folders, this page presents a broad list of permissions. These permissions, like similar ones for files and folders, are actually composite permissions.
In addition to using the object editor to change Active Directory permissions or using the Delegation Of Authority Wizard, you have three additional ways that these permissions can be modified. You can use the dsacls command.
To explore the permissions behind Full Control, for example, click the Advanced button, and then click the Edit button. Two additional pages of permissions are dis?played, one labeled Object and the other labeled Properties. The object page (shown in Figure 9-14) is a list of over 70 permissions that define access to these types of objects if they are present within the OU. The Property page displays a list of more than 70 permissions and defines access to the properties of objects within the OU container. Table 9-2 lists some permissions of each type and provides information about how they might be used. The first seven permissions represent the comprehensive permissions on the first security page. (Six are visible in the figure.)
One question remains. What “will be the effect if multiple objects exist in the inheritance path and each object provides permissions that are inherited? Figure 9-9 shows a multiobject inheritance path. It also indicates two permissions set at each level. For purposes of simplification, assume that inheritance is not blocked at any level and that all permissions applied at each level are inherited by the MCITP study guides free download file quarterlyreport.doc. Will John be able to read the file or not?
Processing your request, Please wait....
