Permissions can be set in Active Directory in the same way they are set for files. While you may not care that everyone in the tree can read all your users’ phone numbers, you may want to store more sensitive information and restrict that access. Reading is not the only problem, of course. You also have create, modify, and delete privileges to worry about, and the last thing you need is a disgruntled or clever employee finding a way to delete all the users in an Organizational Unit. And inheritance increases the complexity in the typical way.

None of this should be new to system managers who already deal with Windows NT Access Control Lists and Access Masks, IntraNetWare’s Trustee Lists and Inherited Rights Masks, and Unix’s access permissions in file masks. In fact, Microsoft has carried the NT terminology from file permissions forward to Active Directory, so if you already know these terms, you’re well ahead. If you are not familiar with them, don’t worry. Microsoft has a great tradition of calling a shovel a ground-insertion-earth-management device. Terminology in permissions can seem confusing at first, so we’ll go through it all in detail.

Managing the permissions in Active Directory doesn’t have to be a headache. You can design sensible permissions schemes using guidelines on inheritance and complexity that will allow you to have a much easier time as a systems administrator. The GUI that Microsoft provides is fairly ...