Active Directory: Allowing or Denying Access

Active Directory stores a myriad of information about your system and its users. You may want to limit--or allow--access to some of this important data.

By Brien M. Posey | Posted Jun 26, 2000
Page of   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

There are a million reasons why you might want to regulate the Active Directory under Windows 2000. In this article, I'll discuss some situations in which the default Active Directory permissions might not be appropriate. I'll then go on to explain how to make some security changes.

Before we begin

Before we get started, it's important to have a little bit of background about Active Directory. As you're no doubt aware, Active Directory is a database that Windows 2000 uses to maintain various aspects related to the network. For example, all the user accounts are stored in the Active Directory. These accounts contain the traditional features, such as passwords and account policies, all of which are maintained within the Active Directory. However, unlike the Windows NT Security Accounts Manager, Active Directory is also useful from an end-user perspective--the Active Directory can contain a wealth of information about each user. For example, you can specify a user's department, phone number, birthday, or any other information you want people to know. It's possible to use the Active Directory database as a company directory.

Why restrict access?

Because of the type of information the Active Directory stores and can store, you may not want everyone to have access to everything. For example, suppose you use the Active Directory as a company directory. You probably want everyone to be able to read the company directory--but you don't want just anyone to be able to change it. For example, you wouldn't want a user to change another user's phone number. Each user should only have access to change his or her own information.

Likewise, you'll probably want to hide certain fields from most users. For example, you might restrict the home phone number field to managers or to the human resources department.

As I mentioned, the Active Directory's primary purpose is to manage various aspects of the operating system. Of course, this portion of the Active Directory is restricted by default. However, in some situations you may want to grant access to a portion of the system side of the Active Directory to various users. For example, suppose you decide that you want your help desk to be able to reset passwords, but you don't want to give them full administrative access. You can accomplish this by granting them access to a portion of the Active Directory, rather than adding them to the Administrators group or the Account Operators group.

Similarly, in a large company, a department may have a computer-savvy manager who is willing to take responsibility for managing that department's user accounts. Depending on the structure of your Active Directory, you can grant the manager permission to change passwords for his department only. You can also grant permission for that manager to add users to the groups associated with that department. By doing so, you've removed some of the administrative burden from the IT staff without jeopardizing your network's security. Basically, with Active Directory, it's easy to give users control over the aspects that you want them to control without granting them access to anything extra.

Setting Active Directory security

Now that we've discussed why you might want to change some of your Active Directory permissions, let's take a look at how to do so. Unfortunately, space limitations prevent me from discussing all the intricacies of Active Directory security in this article. For now, let's look at a method for allowing your help desk staff to reset passwords without granting them excessive permissions. Follow these steps:
  1. Open the Active Directory Users and Computers tool from the Start|Programs|Administrative Tools menu.
  2. Select the Users folder and then select the Group command from the Console menu's New menu.
  3. Create a group called Help Desk. You can make the group domain local, global, or universal, depending on your needs.
  4. Navigate to Active Directory Users|your domain|Domain Controllers. Right-click on the Domain Controllers object and select the Delegate Control command from the resulting context menu. Doing so will launch the Delegation Of Control Wizard.
  5. Follow the prompts until you reach the screen that asks you to select a user or group. Select the Help Desk group and continue with the wizard.
  6. The next screen allows you to delegate common tasks, such as resetting passwords or managing user accounts.
You can use the Delegation Of Control wizard to easily add a permission that allows members of the Help Desk group to reset passwords, without giving the group full administrative privileges. If you need to grant someone authority beyond just the simple tasks listed in the Tasks To Delegate screen, you can select the Create A Custom Task To Delegate radio button and then click Next. Doing so will present you with a series of screen that let you delegate any user right or combination of rights that you can possibly imagine. //

Brien M. Posey is an MCSE who works as a freelance writer and as the Director of Information Systems for a national chain of health care facilities. His past experience includes working as a network engineer for the Department of Defense. You can contact him via e-mail at Brien_Posey@xpressions.com. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter