Delegating the Administration of Windows Server 2008 Active Directory Domain Services

  • 3/5/2008

Accessing Active Directory Objects

To effectively delegate administrative tasks, you need to know how Active Directory controls access to objects stored within the directory service. Access control involves the following:

  • Credentials of the security principle attempting to perform the task or access the resource

  • Authorization data used to protect the resource or authorize the task being performed

  • An access check that compares the credentials against the authorization data to determine if the security principle is permitted to access the resource or perform the task

When a user logs on to an AD DS domain, authentication takes place and the user receives an access token. An access token includes the security identifier (SID) for the user account, SIDs for each security group of which the user is a member, and a list of privileges held by the user and the user’s security groups. The access token helps to provide the security context and credentials needed to manage network resources, perform administrative tasks, or access objects residing in Active Directory.

Security is applied to a network resource or an Active Directory object by authorization data that is stored in the Security Descriptor of each object. The Security Descriptor consists of the following components:

  • Object owner The SID for the current owner of the object. The owner is typically the creator of the object or a security principal that has taken over ownership of an object.

  • Primary group The SID for current owner’s primary group. This information is only used by the Portable Operating System Interface for UNIX (POSIX) subsystem.

  • Discretionary access control list (DACL) A list of access control entries (ACEs) that define the permissions each security principle has to an object. Each security principal that is added to the access control list obtains a set of permissions that specify the extent to which that user or group can manipulate the object. If a user does not appear in an ACE, either individually or as a member of a group, that user has no access to the object.

  • System access control list (SACL) Defines the audit setting on an object including which security principle is to be audited and the operations that are to be audited.

Figure 9-1 illustrates the architecture of a user’s access token and an object’s security descriptor. When a user tries to access a network resource or an Active Directory object, an access check is performed and each ACE is examined until a User or Group SID match is found. Access is then determined by the permissions configured on the ACE.

Figure 9-1

Figure 9-1 Access check between a user’s access token and an object’s security descriptor.

Evaluating Deny and Allow ACEs in a DACL

ACEs are listed within a DACL in a specific order, which has a direct affect on the outcome of the access check. During an access check, ACEs are evaluated in sequence. The evaluation sequence is listed as follows:

  • ACEs that have been explicitly assigned are evaluated before inherited ACEs.

  • For each set of explicit or inherited ACEs, Deny ACEs are always evaluated before Allow ACEs.

Figure 9-2 illustrates how Allow and Deny permissions are evaluated for both explicit and inherited ACEs.

Figure 9-2

Figure 9-2 Evaluating Allow and Deny ACEs.