Module xx: Delegating Administration
Download
Report
Transcript Module xx: Delegating Administration
Module 6:
Delegating
Administrative
Control
Overview
Describing How Windows 2000 Ensures Secure Access
to Active Directory
Delegating and Managing Administrative Control
Using Group Policies to Enforce Security Policies
Developing a Plan to Delegate Administrative Authority
Delegating Administrative Control in Active
Directory
Reviewing the Security Foundation
Understanding Security Descriptors
Delegating Access Control at the OU Level
Delegating Access Permissions and Rights at the Object
and Object Property Level
Examining Access Control Entries
Ensuring Inheritance of Permissions and Rights to
Child Objects
Understanding Ownership
Reviewing the Security Foundation
Security Descriptors Protect Objects
Security Principals Receive Permissions and Rights
Groups Can Be Customized
Security Identifiers Uniquely Identify Security Principals
Understanding Security Descriptors
Objects
Example of a Container
Security Descriptor
Owner SID
Security
Descriptor
Group SID
Discretionary ACL
System ACL
Access Control Entries
Grant
Grant
Grant
Owner Full Control
World List Contents
User1 Create Child
User
Delegating Access Control at the OU Level
Delegate Create and Delete All Objects of
a Specific Type
Users
OU
Object Type = User
Permissions = Create Child
Delete Child
OU
OU
OU OU
OU OU
Delegating Access Permissions and Rights at the
Object and Object Property Level
Delegate Ability to Administer a Specific
Property for All Objects of a Certain Type
Inherit Object Type = Group
Object Type = Group Membership
Permissions = Read Property
Write Property
Inheritance = Inherit Only
Groups
OU
OU
OU
OU OU
OU OU
Examining Access Control Entries
Objects
Example of a User Object
Security Descriptor
Owner SID
Security
Descriptor
Group SID
Discretionary ACL
System ACL
Access Control Entries
Deny
Grant
Grant
Grant
Grant
User1 Read/Write Property
Owner Full Control
World Read Property
User2 Read/Write Property
User3 Read/Write Property
Set 2
All
Set 1
Mgr
Ensuring Inheritance of Permissions and Rights to
Child Objects
Define Inheritance on the Root Container
OU
Full Control
OU
Full Control
OU
Full Control
Examine Object-specific and Property-specific Inheritance
Dynamic inheritance
Create time inheritance
Understanding Ownership
Permission to
Take Ownership
Owner, Administrator
Takes
Ownership
User Accounts,
Groups
Examining Tools for Delegating Administrative
Control
Delegation of Control Wizard
ACL Editor
Name of the Container
Boru Properties
You need to specify the name of the Container
General Managed By Object Security
Name
In which part of a directory can control be delegated?
Control User
Authenticated
User
Authenticated
can be delegated at any container. The best placesLocal
to System
delegate control is domain or organizational unit. Domain Admins (TARA\Domain Admins)
Add...
Remove
Schema Admins (TARA\Schema Admins)
Name of the container you want to delegate controlAdministrators
on
(TARA\Administrators
tara.irish.com/Boru
Permissions
< Back
Delegation of
Control Wizard
Next >
Allow
Deny
Full
control
Cancel
Read
Write
Create all child objects
Delete all child objects
Advanced...
Allow inheritable permissions from parent to propagate
to this object
OK
Cancel
Apply
Best Practices for Delegating Administrative Control
Assign Permissions to Groups
Assign Permissions at the OU Level Wherever Possible
Leverage Inheritance to Permit Access in an OU Hierarchy
Use Property Level Permissions Sparingly
Use a Small Number of Domain Administrators
Using Group Policies to Enforce Security Policies
Implementing Group Policies
Applying Default Domain Policies
Designing a Group Policy Strategy
Implementing Group Policies
gpedit - (“test” Policy)
Action
View
Name
“test” Policy
Computer Settings
Computer Settings
Application Deployment
User Settings
User Documents & Settings
Scripts - Startup/Shutdown
Security Settings
Software Policy
User Settings
Application Deployment
User Documents & Settings
Scripts - Logon/Logoff
Security Settings
Software Policy
Ready
Type
Description
Applying Default Domain Policies
Domain A Policy
Domain B Policy
Local Policy
Domain A
Domain B
Designing a Group Policy Strategy
Layered vs. Monolithic Design
Single Policy Type vs. Multiple Policy Types
Functional Roles Design vs. Team Design
OU Delegation with Central or Distributed Control
Best Practices
OU Delegation with Central or Distributed Control
Change Password, Force Policy Inheritance
Building Access 7am - 7 pm
Engineering GPO
Research GPO
Block Policy Inheritance
Sales GPO
Best Practices
Minimize the Number of GPOs
Create GPOs Needed for Delegating Authority
Avoid Forcing or Blocking Inheritance
Avoid Overriding User-based Group Policy
Let Policy Flow Down By Inheritance
Lab 6.1: Delegating Administrative Control
Review
Describing How Windows 2000 Ensures Secure Access
to Active Directory
Delegating and Managing Administrative Control
Using Group Policies to Enforce Security Policies
Developing a Plan to Delegate Administrative Authority