Delegating the Administration of Windows Server 2008 Active Directory Domain Services

  • 3/5/2008
Contents

Active Directory Object Permissions

Every object in Active Directory has an access control list (ACL), which means that you can modify the permissions on that object. This includes objects visible through the Active Directory Users And Computers administrative console as well as objects visible through the Active Directory Sites and Services administrative console, ADSI Edit, or Ldp.exe. The most common tool used to modify Active Directory object access is Active Directory Users And Computers. However, each of the previously mentioned tools can be used to perform the common task of managing object access within the directory service.

Access control permissions on an Active Directory object are separated into two categories: standard permissions and special permissions. Special permissions are granular options that can be applied to an object. A standard permission is made up of a group of special permissions to allow or deny a specific function. For example, the Read standard permission is made up of the Read permissions, List contents, and Read all properties special permission entries.

Standard Permissions

To view the standard permissions for any Active Directory object in the domain directory partition, access the Security page for that object’s Properties sheet in the Active Directory Users And Computers administrative console.

NOTE

httpatomoreillycomsourcemspimages562835.jpg

If the Security page is not visible, select Advanced Features on the View menu and then reselect the object and open its Properties sheet.

The Security page displays the group or user names that are assigned permissions to the object. As you select a group or user entry, the associated allow or deny permissions for that entry are shown. Figure 9-3 illustrates the permissions for the Domain Admins group on the Sales organizational unit. Notice that, by default, the Allow box is checked for each permission to provide the Domain Admins group full control over the Sales OU.

Figure 9-3

Figure 9-3 Viewing the Security page on an Organizational Unit object.

Depending on the type of object being secured, you will notice that different permissions may be visible on the security page. For example, the following standard permissions are common with all objects:

  • Full control

  • Read

  • Write

  • Create all child objects

  • Delete all child objects

Some Active Directory objects also have standard permissions that are applied to grouped sets of properties. For example, a user object has several read-and-write property sets such as General Information, Personal Information, Phone And Mail Options, and Web Information. Each of these property sets refers to a set of object attributes, so granting access to a single property set provides access to a set of attributes. For example, the Personal Information property set includes attributes such as homePhone, homePostalAddress, and streetAddress. Using the property sets to assign access to groups of attributes simplifies the process of assigning permissions without having to modify at the granular attribute level.

NOTE

httpatomoreillycomsourcemspimages562835.jpg

The Active Directory schema defines which attributes are part of each property set by using the rightsGuid value for the property category (in the Configuration directory partition) and the attributeSecurityGUID for the schema object. For example, the rightsGuid value for cn=Personal-Information, cn=Extended-Rights, cn=configuration, dc=forestname is equivalent to the attributeSecurityGUID for cn=Telephone-Number, cn=Schema, cn=Configuration, dc=forestname. This means that the telephone number is included in the Personal Information property set.

In addition to the standard permissions, the Security page may also show extended rights related to the object being secured. Depending on the object, these rights include options such as Allowed To Authenticate, Generate Resultant Set Of Policy, Receive As, Send As, Send To, Change Password, and Reset Password.

Special Permissions

One of the entries in the permissions list on the Security page is Special Permissions. In addition to being able to grant standard permissions, you can also grant special permissions to Active Directory objects.

NOTE

httpatomoreillycomsourcemspimages562835.jpg

You can determine if special permissions are applied to an object by viewing the Allow or Deny check boxes located next to the Special Permissions entry. If a check mark is visible, special permissions have been assigned.

As mentioned previously, special permissions are much more granular and specific than standard permissions. To simplify management, you would typically use standard permissions on an object; however, there may be specific needs that require you to modify the special permission entries.

To get access to special permissions, click Advanced on the Security page and then ensure that the Permissions page is selected. Figure 9-4 shows the interface. Table 9-2 explains the options available on the Permissions page.

Figure 9-4

Figure 9-4 Viewing the Advanced Security Settings for an object.

Table 9-2 Special Permissions Configuration

Option

Explanation

Type

This value is set to either Allow or Deny. Normally, the interface sorts the permissions so that all Deny permissions are listed first, but the sort order can be changed by clicking any column header. Regardless of the order of appearance in this column, the Deny permissions are always evaluated first.

Name

This is the name of the security principal to which each ACE applies.

Permission

This column lists the level of permission granted for the security principal. Levels of permission can be standard rights, such as Full Control; special permissions such as Create/Delete User Objects; or just Special. The types of permissions available depend on the type of object and how granular the permission entry is.

Inherited From

This column lists the location where this permission is set and if the permission is inherited from a parent container.

Apply To

This column specifies the depth to which this permission applies. It has a variety of settings, including This Object Only, This Object And All Descendant Objects, All Descendant Objects, as well as many others.

Include Inheritable Permissions From This Object’s Parent

This option allows you to specify if parent permission entries are to be applied to the object.

Add/Edit/Remove buttons

These buttons allow you to add new ACEs, remove existing ACEs, or edit a specific ACE to provide more granular permission settings.

NOTE

httpatomoreillycomsourcemspimages562835.jpg

The Restore Defaults button on the Permissions page resets the permissions on the object to the default permission settings as indicated in the Default Security settings of the object class in the Active Directory Schema.

In many cases, the same security principals may be listed in multiple ACEs. For example, the Account Operators group has multiple Create/Delete entries for Computer objects, Group objects, User objects, Printer objects, and InetOrgPerson objects in separate ACEs. This happens whenever you specify a combination of permissions that cannot be stored within a single ACE. In this example, each ACE can only contain focus on one type of object (Computer, User, etc.), and cannot be combined into a single ACE.

If you add or edit the permissions granted to a security principal, you are provided two different options for applying permissions. Figure 9-5 shows the first option, which is applying permissions to the object.

Figure 9-5

Figure 9-5 Assigning special permissions to Active Directory objects.

The Object tab is used to apply permissions to various object scopes:

  • This object only Permissions only apply to the object being secured or modified.

  • This object and all descendant objects Permissions will apply to both the object being secured and all child objects within the object.

  • All descendant objects Permissions will only apply to child objects within the object being modified.

  • Individual descendant objects Windows Server 2008 provides a large selection of individual descendant objects that can be granularly secured. For example, if you are assigning permissions at the OU level, you may choose to only apply permissions to computer objects within the Sales OU. These options provide the capability to delegate permissions at a granular object level.

The second option for applying permissions is to control access to the object properties. Figure 9-6 shows the interface.

The Properties page is used to apply permissions for the security principal listed in the Name field to the individual properties for the object. For example, if you are applying permissions to a user object, you are given the option of assigning Read and Write permissions to each attribute available on the object class, such as general information, group membership, and personal information.

Figure 9-6

Figure 9-6 Configuring an object’s property permissions.

How It Works: Viewing the ACE Using Ldp.exe

Ldp.exe is a graphical user interface (GUI) tool that is used to perform operations such as connect, bind, search, modify, add, or delete against any LDAP-compatible directory service. LDP can be used to view advanced Active Directory metadata such as security descriptors and replication metadata.

To view the ACL using Ldp.exe:

  1. Open the Run dialog box, type ldp, and then press Enter.

  2. Click the Connection menu and then click Connect.

    If you leave the server box empty, the server will connect to the local computer. You can also type in the server name.

  3. After you are connected to the server, click the Connection menu and then click Bind. If you are not logged in with a user account that has administrative rights, type in alternate credentials. Otherwise, leave the logon information blank.

  4. After binding to the domain, click the View menu and then click Tree.

  5. To view the entire domain, click OK. The domain OU structure will be listed in the left pane.

To view the ACL for any object, locate the object in the tree view in the left pane. Right-click the object, point to Advanced, click Security Descriptor, and finally, click OK.

As shown in Figure 9-7, a number of advanced options are available such as modifying DACL and SACL rights and modifying the security descriptor controls such as DACL and SACL protection.

Figure 9-7

Figure 9-7 Using Ldp.exe to modify the security descriptor.

When you add or edit an ACE using Ldp.exe, you are able to modify specific permissions and ACE flags on various object types and specify object inheritance. Figure 9-8 shows an illustration of the ACE editor provided with Ldp.exe.

Figure 9-8

Figure 9-8 Modifying an ACE using Ldp.exe.

Permissions Inheritance

AD DS uses a static permissions inheritance model. That is, when permissions are changed on a container object in the Active Directory structure, the changes are calculated and applied to the security descriptor for all objects in that container. Consequently, if permissions are changed higher in the Active Directory structure and these permissions are applied to all descendant objects, calculating the new ACL for each object can be a processor-intensive process. However, this initial effort means that the permissions do not need to be recalculated when a user or process tries to access the object.

There are two primary methods that are used to control inheritance of permissions:

  • Configuring inheritable permissions on the object By default, when an object is created in Active Directory, inheritable permissions are included from the object’s parent. You can determine if a permission entry is inherited by looking to see whether the check box on the Security page is shaded or not, or by viewing the Inherited From column of the Advanced Security Settings box.

  • Configuring the scope of how permissions are applied As described previously, another way to control inheritance is to specify how permissions apply to descendant objects when security is applied to an object. By default, when a new group or user name is manually added to the ACE, the entry has permissions that apply to this object only. To force inheritance to a child object, you need to modify the scope to apply to descendant objects in addition to the current object.

NOTE

httpatomoreillycomsourcemspimages562835.jpg

If you use the Delegation Of Control Wizard, inheritance will automatically be set to This Object And All Descendant Objects. More information about the Delegation Of Control Wizard is provided in the “Delegating Administrative Tasks” section later in this chapter.

If you have designed your OU structure with the goal of delegated administration, you will have created an OU structure in which top-level administrators that require permissions to all Active Directory objects are granted permissions high in the hierarchy with delegated permissions to all descendant objects. As you move further down the hierarchy, you may be delegating permissions to other administrators who should only have control over a smaller part of the domain. For example, Figure 9-9 shows the Sales OU. Within the Sales OU are two child OUs called Eastern Sales and Western Sales. The manager who is in charge of the entire Sales division may be delegated permissions to the entire Sales OU object and all descendant objects, whereas the Eastern Sales or Western Sales managers may be delegated permissions to their own specific OU only.

Figure 9-9

Figure 9-9 Delegating management of the Sales OU.

In some cases, however, you may want to block higher-level administrators from having any administrative permissions to a specific child OU. For example, if you create a child OU for a branch office in your company, you may assign a local administrative group full control of the OU. However, you may not want those local administrators to have access to any executive user accounts in the OU. To limit their access, you can create an Executives OU within the branch office OU and then remove the option to include inheritable permissions from the object’s parent. This, in effect, blocks permissions inheritance at the Executives OU level.

To block the inheritance of permissions on an Active Directory object, access the Advanced Security Settings dialog box for the object (shown in Figure 9-4). Then clear the Include Inheritable Permissions From This Object’s Parent option. When you clear this option, you are presented with the choice to copy the existing permissions or remove all permissions before explicitly assigning new permissions, as shown in Figure 9-10.

Figure 9-10

Figure 9-10 Selecting the option to copy or remove permissions when blocking permissions inheritance.

Blocking inheritance has the following implications:

  • The permissions are blocked for the object and any descendant objects. This means that you cannot block the permissions inheritance at a container level and then reapply the inheritance from a higher container at a lower level.

  • Even if you decide to copy the permissions before modification, permissions inheritance begins where you block the permissions. If you modify the permissions at a higher level, the permissions will not be inherited past the blocked permissions.

  • You cannot be selective about which permissions are blocked. When you block permissions, all inherited permissions are blocked. Permissions that have been explicitly assigned to the object or child objects are not blocked.

NOTE

httpatomoreillycomsourcemspimages562835.jpg

One of the possible concerns with blocking inherited permissions is that you might create an orphaned object where no one has any permissions. For example, you can create an OU, block all permissions inheritance to that OU, and assign the permissions to only one administrative group. You can even remove the Domain Admins group from the ACL of the OU so that the Domain Admins does not have any permissions under normal circumstances. If that administrative group gets deleted, the OU would have no group with administrative control. In this case, the Domain Admins group would have to take ownership of the object and reassign permissions.

Direct from the Source: Delegating Control of an OU Model

There are many schools of thought on how one should design an OU model and perform delegation within the model. The most common OU model starting points are based on business function, geography, or a hybrid of the two. A delegation model can be centralized, decentralized, or centralized with decentralized execution, but ultimately its design is a result of how a customer wants to provide operational support.

Anyone considering delegation is at one of two points in the Active Directory life cycle—either he or she is considering migrating to Active Directory, or else he or she has migrated to Active Directory and has the opportunity to revisit earlier decisions to provide a more effective and efficient environment.

For those considering migrating to Active Directory, the lesson learned is to engage early and often in discussions with the customers. Understanding how customers run their business is critical in developing an infrastructure that will work for them. If you are an employee of a company and have been tasked with migrating the environment to Active Directory, the same advice stands—talk early and often to upper management to gain a better understanding of how they want to run the business. When deciding on how to architect the solution, keep in mind that Active Directory can provide infinite granularity (depth) as well as infinite scope (breadth) because of the flexible nature of the product. One could conceivably define groups for every imaginable role (depth) and groups to cover every scope (breadth), resulting in an environment that would be difficult to manage and maintain. There is balance point between depth and breadth, and that point may be different for every customer. Factors such as number of sites and support personnel are critical in designing an effective delegation model. This is why it is critical, as an architect, to have thorough planning and design sessions with the customer or upper management from the beginning of the design process, so that there is a clear understanding of how operational support will be provided.

For those who already have an established Active Directory environment and have the ability to revisit the existing delegation model, I would recommend looking at the way you are currently maintaining operational support. You may be able to streamline your operations by scaling back the depth and breadth of your current model. It has been my experience that sometimes less is more when dealing with operational support.

Finally, communication is critical to be truly effective and meet customer or upper management expectations. I have been involved in many customer discussions in which IT professionals are discussing a topic such as delegation within Active Directory with the customer or upper management, and the terminology used has caused frustration for both sides. Before engaging in technical discussions, you should consider the following topics:

  • Who is my audience? Your audience may differ depending on whether it is a meeting or if you are writing a white paper or proposal.

  • How do I make my audience more knowledgeable? Take a few minutes to go through your delivery strategy. Are there words, phrases, or topics that may have a different meaning or connotation, depending on your audience?

  • Consider developing two or three different strategies for discussion. Using analogies is a great method for removing the technical nature from a discussion and placing the subject in a context that most non-IT professionals can understand.

Barry Hartman

Senior Consultant

Microsoft Consulting Services

Effective Permissions

As discussed so far in this chapter, a user can obtain permissions to a specific object in Active Directory in several ways:

  • The user account may be granted explicit permissions to an object.

  • One or more groups that the user belongs to may be granted explicit permissions to an object.

  • The user account or one or more groups that the user belongs to may be given permissions at a container-object level and permissions inherited by lower-level objects.

All of these permissions are cumulative; that is, the user is granted the highest level of permissions from any of these configurations. For example, if a user is explicitly given Read permission to an object, the user belongs to a group that is explicitly given Modify permissions, and the user belongs to a group that is given Full Control at the container level, the user will have Full Control. When a user attempts to access an object, the security subsystem examines all of the ACEs that are attached to the object. All of the ACEs that apply to the security principal (based on user account or group SIDs) are evaluated and the highest level of permission is set. However, in addition to ACEs that grant permissions, Active Directory also supports Deny permissions. Deny permissions can be applied at two levels:

  • The user object or one or more of the groups that the user belongs to may be explicitly denied permission to an object.

  • The user object or one or more groups that the user belongs to may be denied permissions at a container level, and this denial of permission may be inherited to lower-level objects.

Deny permissions almost always override Allow permissions. For example, if a user is a member of a group that is given Modify permissions to an Active Directory object, and the user is explicitly denied Modify permissions to the object, the user will not be able to modify the object. This is because the ACEs that deny permissions are evaluated before the ACEs that allow permissions. If one of the ACEs denies permission to the security principal, no other ACEs are evaluated for the object.

The one situation in which Allow permissions do override Deny permissions is when the Deny permissions are inherited and the Allow permissions are explicitly assigned. For example, you can deny a user the permission to modify any user accounts in a container. But, if you explicitly allow Modify permissions to an object within the container, the user account will have Modify permissions on that object.

Deny Permissions: Use Carefully

Using the Deny option to deny permissions can make your Active Directory security design very difficult to manage. There are a number of different scenarios in which you may think about using the Deny permission. One is a situation in which you may want to use the Deny option to remove some permissions that are being inherited. For example, you may grant Modify permissions at a container level but may want to change that to Read-Only farther down the hierarchy. In this case, you could deny the Write permission on any objects or properties farther down the hierarchy.

Another scenario in which you may think of using the Deny option is when you want to create a container that requires higher security. For example, you may have a container for all of the executives, and you may want to make sure that a normal user cannot read the executive account properties. You may choose to deny Read permissions on the container using the Domain Users group. Unfortunately, this denies everyone the right to read the directory objects, including all administrators. Because of the complications that can result from using the Deny option, you should use it with care.

In most cases, rather than denying permissions, you can just ensure that a user or group has not been given permissions. If a user has not been granted any permissions and is not a member of any group that has been granted permissions, the user will not have any access and will be implicitly denied. You do not need to explicitly apply the Deny permission to prevent users from accessing objects in Active Directory.

One of the few scenarios in which it can be beneficial to use the Deny option is if you have a case where a group should be given permissions, but one or more users in the same group should have a lower level of permissions. For example, you may have a group called Account Admins that is responsible for managing all user accounts in the domain. Some members of this group may be temporary employees who need to be able to manage all user accounts in the domain, but who should not be able to modify any properties on executive accounts. In this case, you could assign the Account Admins group permission to manage all user accounts in the domain. Next, create an OU for the executive accounts, and create a group for the temporary members of the Account Admins group. Then, deny the temporary users the right to modify any user accounts in the Executive OU.

As you can see, configuring security on Active Directory objects can involve managing a large number of interrelated variables. Many companies may start out with a fairly simple security design in which a small group of administrators are given all the permissions in Active Directory. Most of the time, the initial Active Directory security configuration is clearly documented. However, as time goes by, this simple initial configuration often becomes much messier. Sometimes another group of administrators is given a set of permissions for a specific task and for a specific period of time. Granting the permissions is easy to do, but often the permissions are never removed. Often these security modifications made after the initial deployment are also not clearly documented.

For any Active Directory structure that has been deployed for some time, the current security configuration is likely more complex than was initially designed. Sometimes this results in users having more permissions than they should have. Fortunately, Windows Server 2008 provides a tool that can be used to easily determine the effective permissions a security principal has to any object in Active Directory.

To determine the effective permissions that a security principal has on an Active Directory object, access that object’s properties through the appropriate Active Directory administrative tool. Click the Security page, click Advanced, and then click the Effective Permissions page. To determine the effective permissions for a specific user or group account, click Select and then search for the user or group name. After you have selected the name, click OK. The Effective Permissions page displays all of the permissions the security principal has to the Active Directory object. Figure 9-11 shows the interface for the Active Directory Users And Computers administrative tool. Notice that the Effective Permissions page for the Sales OU displays the overall permissions assigned to the Don Hall user object.

NOTE

httpatomoreillycomsourcemspimages562835.jpg

This tool has some limitations that may affect the effective permissions displayed. The tool determines the effective permissions based on inherited and explicitly defined permissions for the user account and the user’s group memberships. However, the user may also get some permissions based on how the user logs on and connects to the object. For example, in Windows Server 2008, you can assign permissions to the interactive group (that is, anyone logged on to the computer) or the network login group (that is, anyone accessing the information across the network). This Active Directory administrative tool cannot determine the permissions granted to a user based on these types of groups. Also, the tool can only determine permissions by using the permissions of the person running the tool. For example, if the user running the tool does not have permission to read the membership of some of the groups that the evaluated user object belongs to, the tool will not be able to determine the permissions accurately.

Figure 9-11

Figure 9-11 Displaying the effective permissions for an Active Directory object.

Ownership of Active Directory Objects

Every object in Active Directory has an owner. By default, the user who created an object is the owner. The owner of an object has the right to modify permissions on the object, which means that, even if the owner does not have full control of an object, the owner can always modify the permissions on the object. In most cases, the owner of an object is a specific user account rather than a group account. One exception to this is when an object is created by a member of the Domain Admins group; the ownership of the object is then assigned to the Domain Admins group. If the owner of the object is a member of the local Administrators group but not a part of the Domain Admins group, the ownership of the object is assigned to the Administrators group.

To determine the owner of an Active Directory object, access that object’s properties using the appropriate Active Directory administrative tool. Select the Security page, click Advanced, and then select the Owner page. Figure 9-12 shows the interface for the Active Directory Users And Computers administrative tool.

If you have the Modify owner permission to the object, you can use this interface to modify the owner of the object. You can chose either to take ownership for your own account or to assign the ownership to another user or group. This last option is unique in Windows Server 2003 And Windows Server 2008 Active Directory. In Microsoft Windows 2000 Active Directory, you could only take ownership of an object; you could not assign the ownership to another security principal.

Figure 9-12

Figure 9-12 Viewing the ownership of an Active Directory object.

Administrative Privileges

The administrative permissions discussed so far have to do with specific permissions on Active Directory objects and define what actions the administrator can perform on those objects. In addition to these permissions, a user may also be able to perform some tasks in Active Directory because of the privileges assigned to him or her. The permissions discussed so far are based on the ACLs that are attached to each Active Directory object. User privileges are different because user privileges are applied to user accounts. User privileges are something that the user has because of who he or she is, not because he or she has permission to modify a particular Active Directory object. For example, there are two ways that you can give a user or group the right to add workstations to the domain. One option is to give the user or group permission to Create Computer Objects either at an OU level or at the Computers container level. This allows the user to add as many workstations as needed to the domain in the specified container.

Another way to allow a user to add workstations to the domain is to ensure that the user has the Add workstations to domain privilege. This user right is a part of the Default Domain Controllers Policy. Any user who has this privilege can add up to 10 workstations to the domain. By default, the Authenticated Users group is granted this permission.

Save to your account

This chapter is from the book