Chapter 16. Active Directory Security: Permissions and Auditing
Permissions can be set in Active Directory in much the same way they are set for files. Although you may not care that every user in the directory can read all your users’ phone numbers, you may want to store more sensitive information and restrict that access. Reading is not the only problem, of course. You also have create, modify, and delete privileges to worry about, and the last thing you need is a disgruntled or clever employee finding a way to delete all the users in an organizational unit.
Managing the permissions in Active Directory doesn’t have to be a headache. You can design sensible permissions schemes using guidelines on inheritance and complexity that will allow you to have a much easier time as a system administrator. The GUI that Microsoft provides is effective for simple tasks, but more cumbersome for managing complex permissions. Management of Active Directory permissions is also supported by Active Directory Service Interfaces (ADSI), which opens up a whole raft of opportunities for you to use scripts to track problems and manipulate access simply and effectively. Finally, Windows PowerShell and the DSACLS utility allow administrators to manage permissions from a command line if you prefer an alternative to the GUI.
Yet permissions are only half the story. If you allow a user to modify the details of every user in a specific branch below a certain organizational unit, you can monitor the creations, ...