Active Directory: Modifying Default Permissions
Sometimes it's useful to change the default permissions in your Windows 2000 Active Directory setup. This article tells you why you might want to change these defaults.
|In case you missed Part 1
In the first article, I discuss a variety of situations in which it might be beneficial to change the permissions on the Active Directory. As you probably know, the Active Directory is actually nothing more than a database. As with most databases, you can store any information you want in the Active Directory. For example, some companies actually store human resources information such as positions and salaries within the Active Directory. Naturally, in such a situation you'd want to closely guard who has permission to see this information.
Even if you only store basic information such as names, addresses, and phone numbers in the Active Directory, and you don't care who sees it, you'll want to control who can change it. For example, it's no big deal if a user moves and wants to update his own information. However, not just anyone should be able to change information at will.
Protecting confidential informationNormally, the personal information in the Active Directory is relatively well protected from change. Only the owner or a member of the Administrators group can make changes to the information. In some situations, you'll want to grant someone permission to view or change specific information. To perform such tasks, you'll need to use the Active Directory Users and Computers program. You can find this tool on the Start menu under Programs|Administrative Tools. When the program begins, follow these steps:
- Select the Domain Controllers folder from the column on the left. Right-click on the folder and select Delegate Control from the resulting context menu. When you do, you'll see the Delegation of Control Wizard.
- Click Next to begin the wizard. The next screen asks for the users or groups to which you want to apply your security changes. As with all security-related issues in Windows 2000, you should apply your changes on a group basis. Therefore, if you're setting up permissions to view or change information, you might go back and create a group with a name like ViewPersonalInfo or ChangePersonalInfo. When you've selected the group that you want to work with, click Next.
- The next screen allows you to delegate some common tasks such as the ability to manage group policies or user accounts or the ability to reset passwords. As you can see in Figure 1, one of the choices on this screen is the option to Read All User Information. Click to see Figure 1 This option works fine if you only need to grant read access and you want the group to be able to see everything. However, in some situations you need a little more control. If this is the case, select the Create A Custom Task To Delegate radio button and click Next. When you do, you'll see a screen asking if you want to delegate control of This Folder or Only The Following Objects In The Folder. Select the Only The Following Objects radio button. When you do, the area below the radio buttons will become accessible. Select the User Objects check box, as shown in Figure 2, and click Next. Click to see Figure 2
- The next screen contains a list of all the specific permissions you can grant to user objects. To make all objects visible to you, select the General, Property-Specific, and Creation/Deletion of Specific Child Objects check boxes from the top portion of the screen.
- Scroll through the available choices. As you can see in Figure 3, you can grant permissions for the group to read and/or change any of the user information fields, such as employee ID number, e-mail address, or fax number. If you'd prefer a shortcut, options are available at the top of the list to read all properties or write all properties. You can also set permissions based on the individual tabs within the Users Properties sheet. For example, you could grant the group permission to read and write general information, but not personal information. Click Next. Click to see Figure 3
- The last screen in the wizard summarizes the changes you're about to make. Personally, I really like this screen, because sometimes working with the wizard can get a little confusing. The summary screen details what you've done in an easy-to-understand manner. It also gives you one last chance to go back and correct any mistakes you might have made. If you like your changes, click the Finish button, and the changes will be submitted.