WD Lesson - 36

Controlling Access to Active Directory Objects

• To control access to Active Directory objects, we grant or deny permissions to security principals.
• A Permission is the authority to perform an operation or a set of operations on an object and is granted or denied by the object’s owner.

• A security principal is a user, group, computer, or service that is assigned a unique security identifier (SID).

Standard permissions vs. Special permissions

Standard permissions are composed of special permissions, which provide us with a

finer degree of control for assigning access to objects.

For example, the standard Write permission is composed of the Write All Properties and All Validated Writes special permissions. Special permissions are also referred to as advanced security settings.

Viewing the standard permissions

1.         Click Start, point to Administrative Tools, and then click Active Directory Users And Computers. On the View menu, ensure that Advanced Features is selected.

2.         Right-click the object for which you want to view standard permissions and click Properties.

3.         In the Properties dialog box for the object, click the Security tab.

4.         Click the appropriate security principal in the Group Or User Names box to view the assigned standard permissions.

Setting standard permissions

1.         Click Start, point to Administrative Tools, and then click Active Directory Users And Computers. Right-click the object for which you want to assign permissions and click Properties.

2.         In the Properties dialog box for the object, click the Security tab. Click Add.

3.         In the Select Users, Computers, Or Groups dialog box, type the name of the security principal. Click OK.

4.         In the Permissions For Security Principal box, select the Allow check box or the Deny check box for each permission you want to add, change, or deny.