Module 3: Planning for Delegation of Administrative Authority - PowerPoint PPT Presentation

hidi
module 3 planning for delegation of administrative authority n.
Skip this Video
Loading SlideShow in 5 Seconds..
Module 3: Planning for Delegation of Administrative Authority PowerPoint Presentation
Download Presentation
Module 3: Planning for Delegation of Administrative Authority

play fullscreen
1 / 16
Download Presentation
Module 3: Planning for Delegation of Administrative Authority
123 Views
Download Presentation

Module 3: Planning for Delegation of Administrative Authority

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Module 3: Planning for Delegation of Administrative Authority

  2. Overview • Secure Access to Active Directory • Developing a Plan to Delegate Administrative Authority

  3. Secure Access to Active Directory • Active Directory Security Components • Security Descriptors • Access Control Entries • Ownership • Delegating the Ability to Grant Permissions • Inheritance of Permissions

  4. Active Directory Security Components • Security Principals Receive Permissions • Security Identifiers Uniquely Identify Security Principals • Security Descriptors Protect Objects

  5. Objects Security Descriptors Security Descriptor Owner SID Group SID DACL SACL

  6. Access Control Entries • ACEs Protect Objects • Access Can Be • Denied • Granted • ACEs Contain • Access rights • GUID that identifies object or attribute type • SID that identifies the security principal • Flags that control inheritance

  7. Ownership Grants Permission to Take Ownership Owner TakesOwnership User Account

  8. Delegating the Ability to Grant Permissions • Permissions Define Type of Access a User Has to an Object • Delegate the Ability to Grant Permissions By • Delegating to users or groups of users • Defining access on the object or attribute • Granting special permissions • Using inheritance

  9. Full Control OU OU OU Full Control Full Control Inheritance of Permissions • Objects Inherit Existing Permissions • Inheritance Can Be Blocked

  10. Developing a Plan to Delegate Administrative Authority • Defining OU Administrator Access • Examining Delegation Methods • Delegation Tools

  11. Defining OU Administrator Access • Level of Administration • Who Will Administer Users and Resources • Ownership Scheme for Each OU • Permissions Inheritance Scheme • Flexibility in Delegation Model • Mapping of Administrative Roles

  12. Examining Delegation Methods • Changing Container Properties • Creating, Changing, and Deleting Child Objects • Updating Object Attributes • Creating New Users or Groups • Managing Small Groups of Users or Groups

  13. Boru Properties Delegation of Control Wizard Name of the Container You need to specify the name of the Container Name Authenticated User Local System Domain Admins (TARA\Domain Admins) Schema Admins (TARA\Schema Admins) Administrators (TARA\Administrators Authenticated User In which part of a directory can control be delegated? Control can be delegated at any container. The best places to delegate control is domain or organizational unit. Name of the container you want to delegate control on Permissions Allow Deny Full control Read Write Create all child objects Delete all child objects tara.irish.com/Boru GeneralManaged By Object Security Next > Remove Apply < Back Cancel Add... Cancel Advanced... Allow inheritable permissions from parent to propagate to this object OK Delegation Tools Delegation of Control Wizard

  14. Grant Permissions to Groups Grant Permissions at the OU Level When Possible Use Inheritance for Group Policy Use a Small Number of Domain Administrators Best Practices

  15. Lab A: Delegating Administrative Control

  16. Review • Secure Access to Active Directory • Developing a Plan to Delegate Administrative Authority