August 2019
Intermediate to advanced
786 pages
20h 22m
English
Content preview from Mastering Active Directory - Second Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Using object ACLs
User or group access permissions to a shared folder are managed by the ACL. Similarly, we can define permissions to AD objects. This can be applied to individual objects or to the AD site/domain/OU, and then the same permissions can be forced onto lower-level objects.
As an example, I have a security group called First Line Engineers, and Liam is a member of this group. Liam is an engineer in the Europe office. In the AD environment, Liam should be allowed to add user objects under any sub-OU that is under the Europe OU. However, he should not be allowed to delete any objects that are under it. Let's see how we can do this using ACLs:
- Log in to the domain controller as Domain Admin/Enterprise Admin.
- Review the group membership ...