module 3 planning for delegation of administrative authority n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Module 3: Planning for Delegation of Administrative Authority PowerPoint Presentation
Download Presentation
Module 3: Planning for Delegation of Administrative Authority

Loading in 2 Seconds...

play fullscreen
1 / 16

Module 3: Planning for Delegation of Administrative Authority - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

Module 3: Planning for Delegation of Administrative Authority. Overview. Secure Access to Active Directory Developing a Plan to Delegate Administrative Authority. Secure Access to Active Directory. Active Directory Security Components Security Descriptors Access Control Entries Ownership

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Module 3: Planning for Delegation of Administrative Authority' - hidi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview
Overview
  • Secure Access to Active Directory
  • Developing a Plan to Delegate Administrative Authority
secure access to active directory
Secure Access to Active Directory
  • Active Directory Security Components
  • Security Descriptors
  • Access Control Entries
  • Ownership
  • Delegating the Ability to Grant Permissions
  • Inheritance of Permissions
active directory security components
Active Directory Security Components
  • Security Principals Receive Permissions
  • Security Identifiers Uniquely Identify Security Principals
  • Security Descriptors Protect Objects
security descriptors

Objects

Security Descriptors

Security Descriptor

Owner SID

Group SID

DACL

SACL

access control entries
Access Control Entries
  • ACEs Protect Objects
  • Access Can Be
    • Denied
    • Granted
  • ACEs Contain
    • Access rights
    • GUID that identifies object or attribute type
    • SID that identifies the security principal
    • Flags that control inheritance
ownership
Ownership

Grants Permission to Take Ownership

Owner

TakesOwnership

User Account

delegating the ability to grant permissions
Delegating the Ability to Grant Permissions
  • Permissions Define Type of Access a User Has to an Object
  • Delegate the Ability to Grant Permissions By
    • Delegating to users or groups of users
    • Defining access on the object or attribute
    • Granting special permissions
    • Using inheritance
inheritance of permissions

Full Control

OU

OU

OU

Full Control

Full Control

Inheritance of Permissions
  • Objects Inherit Existing Permissions
  • Inheritance Can Be Blocked
developing a plan to delegate administrative authority
Developing a Plan to Delegate Administrative Authority
  • Defining OU Administrator Access
  • Examining Delegation Methods
  • Delegation Tools
defining ou administrator access
Defining OU Administrator Access
  • Level of Administration
  • Who Will Administer Users and Resources
  • Ownership Scheme for Each OU
  • Permissions Inheritance Scheme
  • Flexibility in Delegation Model
  • Mapping of Administrative Roles
examining delegation methods
Examining Delegation Methods
  • Changing Container Properties
  • Creating, Changing, and Deleting Child Objects
  • Updating Object Attributes
  • Creating New Users or Groups
  • Managing Small Groups of Users or Groups
delegation tools

Boru Properties

Delegation of Control Wizard

Name of the Container

You need to specify the name of the Container

Name

Authenticated User

Local System

Domain Admins (TARA\Domain Admins)

Schema Admins (TARA\Schema Admins)

Administrators (TARA\Administrators

Authenticated User

In which part of a directory can control be delegated? Control

can be delegated at any container. The best places to

delegate control is domain or organizational unit.

Name of the container you want to delegate control on

Permissions Allow Deny

Full control

Read

Write

Create all child objects

Delete all child objects

tara.irish.com/Boru

GeneralManaged By Object Security

Next >

Remove

Apply

< Back

Cancel

Add...

Cancel

Advanced...

Allow inheritable permissions from parent to propagate

to this object

OK

Delegation Tools

Delegation of

Control Wizard

best practices

Grant Permissions to Groups

Grant Permissions at the OU Level When Possible

Use Inheritance for Group Policy

Use a Small Number of Domain Administrators

Best Practices
review
Review
  • Secure Access to Active Directory
  • Developing a Plan to Delegate Administrative Authority