Module xx: Delegating Administration

Download Report

Transcript Module xx: Delegating Administration 

Module 6:
Delegating
Administrative
Control
 Overview

Describing How Windows 2000 Ensures Secure Access
to Active Directory

Delegating and Managing Administrative Control

Using Group Policies to Enforce Security Policies

Developing a Plan to Delegate Administrative Authority
 Delegating Administrative Control in Active
Directory

Reviewing the Security Foundation

Understanding Security Descriptors

Delegating Access Control at the OU Level

Delegating Access Permissions and Rights at the Object
and Object Property Level

Examining Access Control Entries

Ensuring Inheritance of Permissions and Rights to
Child Objects

Understanding Ownership
Reviewing the Security Foundation

Security Descriptors Protect Objects

Security Principals Receive Permissions and Rights

Groups Can Be Customized

Security Identifiers Uniquely Identify Security Principals
Understanding Security Descriptors
Objects
Example of a Container
Security Descriptor
Owner SID
Security
Descriptor
Group SID
Discretionary ACL
System ACL
Access Control Entries
Grant
Grant
Grant
Owner Full Control
World List Contents
User1 Create Child
User
Delegating Access Control at the OU Level

Delegate Create and Delete All Objects of
a Specific Type
Users
OU
Object Type = User
Permissions = Create Child
Delete Child
OU
OU
OU OU
OU OU
Delegating Access Permissions and Rights at the
Object and Object Property Level

Delegate Ability to Administer a Specific
Property for All Objects of a Certain Type
Inherit Object Type = Group
Object Type = Group Membership
Permissions = Read Property
Write Property
Inheritance = Inherit Only
Groups
OU
OU
OU
OU OU
OU OU
Examining Access Control Entries
Objects
Example of a User Object
Security Descriptor
Owner SID
Security
Descriptor
Group SID
Discretionary ACL
System ACL
Access Control Entries
Deny
Grant
Grant
Grant
Grant
User1 Read/Write Property
Owner Full Control
World Read Property
User2 Read/Write Property
User3 Read/Write Property
Set 2
All
Set 1
Mgr
Ensuring Inheritance of Permissions and Rights to
Child Objects

Define Inheritance on the Root Container
OU
Full Control
OU
Full Control
OU

Full Control
Examine Object-specific and Property-specific Inheritance

Dynamic inheritance

Create time inheritance
Understanding Ownership
Permission to
Take Ownership
Owner, Administrator
Takes
Ownership
User Accounts,
Groups
Examining Tools for Delegating Administrative
Control
Delegation of Control Wizard
ACL Editor
Name of the Container
Boru Properties
You need to specify the name of the Container
General Managed By Object Security
Name
In which part of a directory can control be delegated?
Control User
Authenticated
User
Authenticated
can be delegated at any container. The best placesLocal
to System
delegate control is domain or organizational unit. Domain Admins (TARA\Domain Admins)
Add...
Remove
Schema Admins (TARA\Schema Admins)
Name of the container you want to delegate controlAdministrators
on
(TARA\Administrators
tara.irish.com/Boru
Permissions
< Back
Delegation of
Control Wizard
Next >
Allow
Deny
Full
control
Cancel
Read
Write
Create all child objects
Delete all child objects
Advanced...
Allow inheritable permissions from parent to propagate
to this object
OK
Cancel
Apply
Best Practices for Delegating Administrative Control
Assign Permissions to Groups
Assign Permissions at the OU Level Wherever Possible
Leverage Inheritance to Permit Access in an OU Hierarchy
Use Property Level Permissions Sparingly
Use a Small Number of Domain Administrators
 Using Group Policies to Enforce Security Policies

Implementing Group Policies

Applying Default Domain Policies

Designing a Group Policy Strategy
Implementing Group Policies
gpedit - (“test” Policy)
Action
View
Name
“test” Policy
Computer Settings
Computer Settings
Application Deployment
User Settings
User Documents & Settings
Scripts - Startup/Shutdown
Security Settings
Software Policy
User Settings
Application Deployment
User Documents & Settings
Scripts - Logon/Logoff
Security Settings
Software Policy
Ready
Type
Description
Applying Default Domain Policies
Domain A Policy
Domain B Policy
Local Policy
Domain A
Domain B
Designing a Group Policy Strategy

Layered vs. Monolithic Design

Single Policy Type vs. Multiple Policy Types

Functional Roles Design vs. Team Design

OU Delegation with Central or Distributed Control

Best Practices
OU Delegation with Central or Distributed Control
Change Password, Force Policy Inheritance
Building Access 7am - 7 pm
Engineering GPO
Research GPO
Block Policy Inheritance
Sales GPO
Best Practices
Minimize the Number of GPOs
Create GPOs Needed for Delegating Authority
Avoid Forcing or Blocking Inheritance
Avoid Overriding User-based Group Policy
Let Policy Flow Down By Inheritance
Lab 6.1: Delegating Administrative Control
Review

Describing How Windows 2000 Ensures Secure Access
to Active Directory

Delegating and Managing Administrative Control

Using Group Policies to Enforce Security Policies

Developing a Plan to Delegate Administrative Authority