Providing Security for Active Directory Objects
The concept of providing security for Active Directory objects can be viewed in two different ways. First, you can consider the idea that you need to secure the object itself, so that no one can access it. By default, this is taken care of in the operating system and was discussed in the earlier “Providing Security for the Domain” section. However, we need to discuss another approach: delegation of administrative control.
Delegation of administration control, or just
delegation as it is usually referred to, is not
as complex as the name implies. Delegation is nothing more than
setting permissions on objects in Active Directory. The permissions
are set on objects in Active Directory the exact same way that you
set permissions on files and folders on an NTFS volume. There is a
Delegation Wizard, which is useful for some tasks, but more complex
permissions require manual attention. Examples of delegation include:
Giving the HR managers the ability to change group membership for the HR groups
Giving the branch office staff the ability to create their own global groups
Giving the helpdesk the ability to reset passwords for all user accounts, except for the IT staff
One thing to keep in mind as you secure objects in Active Directory is the OU design. The OU design must be considered before the delegation is performed. Otherwise, you might be giving too much control or affecting the wrong objects with the delegation.
Delegation is typically provided ...
Get Securing Windows Server 2003 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
