1 / 20

Module 6 : Delegating Administrative Control

Module 6 : Delegating Administrative Control. Overview. Describing How Windows 2000 Ensures Secure Access to Active Directory Delegating and Managing Administrative Control Using Group Policies to Enforce Security Policies Developing a Plan to Delegate Administrative Authority.

bree
Download Presentation

Module 6 : Delegating Administrative Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 6:Delegating AdministrativeControl

  2. Overview • Describing How Windows 2000 Ensures Secure Access to Active Directory • Delegating and Managing Administrative Control • Using Group Policies to Enforce Security Policies • Developing a Plan to Delegate Administrative Authority

  3. Delegating Administrative Control in Active Directory • Reviewing the Security Foundation • Understanding Security Descriptors • Delegating Access Control at the OU Level • Delegating Access Permissions and Rights at the Object and Object Property Level • Examining Access Control Entries • Ensuring Inheritance of Permissions and Rights to Child Objects • Understanding Ownership

  4. Reviewing the Security Foundation • Security Descriptors Protect Objects • Security Principals Receive Permissions and Rights • Groups Can Be Customized • Security Identifiers Uniquely Identify Security Principals

  5. Objects Understanding Security Descriptors Example of a Container Security Descriptor Security Descriptor Owner SID Group SID Discretionary ACL System ACL Access Control Entries Grant Owner Full Control Grant World List Contents Grant User1 Create Child User

  6. OU OU OU OU OU OU OU Delegating Access Control at the OU Level • Delegate Create and Delete All Objects of a Specific Type Users Object Type = User Permissions = Create Child Delete Child

  7. OU OU OU OU OU OU OU Delegating Access Permissions and Rights at the Object and Object Property Level • Delegate Ability to Administer a Specific Property for All Objects of a Certain Type Groups Inherit Object Type = Group Object Type = Group Membership Permissions = Read Property Write Property Inheritance = Inherit Only

  8. Security Descriptor Owner SID Group SID Discretionary ACL System ACL Access Control Entries Objects Examining Access Control Entries Example of a User Object Security Descriptor Deny User1 Read/Write Property Set 2 Grant Owner Full Control Grant World Read Property All Grant User2 Read/Write Property Set 1 Grant User3 Read/Write Property Mgr

  9. OU OU OU Ensuring Inheritance of Permissions and Rights to Child Objects Full Control • Define Inheritance on the Root Container Full Control Full Control • Examine Object-specific and Property-specific Inheritance • Dynamic inheritance • Create time inheritance

  10. Understanding Ownership Permission to Take Ownership Owner, Administrator TakesOwnership User Accounts, Groups

  11. Boru Properties Delegation of Control Wizard Name of the Container You need to specify the name of the Container Name Authenticated User Local System Domain Admins (TARA\Domain Admins) Schema Admins (TARA\Schema Admins) Administrators (TARA\Administrators Authenticated User In which part of a directory can control be delegated? Control can be delegated at any container. The best places to delegate control is domain or organizational unit. Name of the container you want to delegate control on Permissions Allow Deny Full control Read Write Create all child objects Delete all child objects tara.irish.com/Boru GeneralManaged By Object Security Next > Cancel Advanced... Add... < Back Cancel Apply Remove Allow inheritable permissions from parent to propagate to this object OK Examining Tools for Delegating Administrative Control ACL Editor Delegation of Control Wizard

  12. Assign Permissions to Groups Assign Permissions at the OU Level Wherever Possible Leverage Inheritance to Permit Access in an OU Hierarchy Use Property Level Permissions Sparingly Use a Small Number of Domain Administrators Best Practices for Delegating Administrative Control

  13. Using Group Policies to Enforce Security Policies • Implementing Group Policies • Applying Default Domain Policies • Designing a Group Policy Strategy

  14. gpedit - (“test” Policy) Action View Name Computer Settings User Settings Type Description “test” Policy Computer Settings Application Deployment User Documents & Settings Scripts - Startup/Shutdown Security Settings Software Policy User Settings Application Deployment User Documents & Settings Scripts - Logon/Logoff Security Settings Software Policy Ready Implementing Group Policies

  15. Applying Default Domain Policies Domain A Policy Domain B Policy Local Policy Domain A Domain B

  16. Designing a Group Policy Strategy • Layered vs. Monolithic Design • Single Policy Type vs. Multiple Policy Types • Functional Roles Design vs. Team Design • OU Delegation with Central or Distributed Control • Best Practices

  17. OU Delegation with Central or Distributed Control Change Password, Force Policy Inheritance Building Access 7am - 7 pm Engineering GPO Research GPO Block Policy Inheritance Sales GPO

  18. Minimize the Number of GPOs Create GPOs Needed for Delegating Authority Avoid Forcing or Blocking Inheritance Avoid Overriding User-based Group Policy Let Policy Flow Down By Inheritance Best Practices

  19. Lab 6.1: Delegating Administrative Control

  20. Review • Describing How Windows 2000 Ensures Secure Access to Active Directory • Delegating and Managing Administrative Control • Using Group Policies to Enforce Security Policies • Developing a Plan to Delegate Administrative Authority

More Related