Active Directory: Modifying Default Permissions

The article

”

”

explains how to modify the permissions on the Active Directory to allow the users at your help desk to change passwords without granting them full administrative privileges. In this article, I

’

ll continue discussing the topic and explain some other situations in which you might want to modify the default permissions to the Active Directory.

Protecting confidential information

Normally, the personal information in the Active Directory is relatively well protected from change. Only the owner or a member of the Administrators group can make changes to the information. In some situations, you

’

ll want to grant someone permission to view or change specific information. To perform such tasks, you

’

ll need to use the Active Directory Users and Computers program. You can find this tool on the Start menu under Programs|Administrative Tools. When the program begins, follow these steps:

1. Select the Domain Controllers folder from the column on the left. Right-click on the folder and select Delegate Control from the resulting context menu. When you do, you’ll see the Delegation of Control Wizard.
2. Click Next to begin the wizard. The next screen asks for the users or groups to which you want to apply your security changes. As with all security-related issues in Windows 2000, you should apply your changes on a group basis. Therefore, if you’re setting up permissions to view or change information, you might go back and create a group with a name like ViewPersonalInfo or ChangePersonalInfo. When you’ve selected the group that you want to work with, click Next.

3. The next screen allows you to delegate some common tasks such as the ability to manage group policies or user accounts or the ability to reset passwords. As you can see in Figure 1, one of the choices on this screen is the option to Read All User Information.
   Click to see Figure 1
   This option works fine if you only need to grant read access and you want the group to be able to see everything. However, in some situations you need a little more control. If this is the case, select the Create A Custom Task To Delegate radio button and click Next. When you do, you’ll see a screen asking if you want to delegate control of This Folder or Only The Following Objects In The Folder. Select the Only The Following Objects radio button. When you do, the area below the radio buttons will become accessible. Select the User Objects check box, as shown in Figure 2, and click Next.
   Click to see Figure 2
4. The next screen contains a list of all the specific permissions you can grant to user objects. To make all objects visible to you, select the General, Property-Specific, and Creation/Deletion of Specific Child Objects check boxes from the top portion of the screen.
5. Scroll through the available choices. As you can see in Figure 3, you can grant permissions for the group to read and/or change any of the user information fields, such as employee ID number, e-mail address, or fax number. If you’d prefer a shortcut, options are available at the top of the list to read all properties or write all properties. You can also set permissions based on the individual tabs within the Users Properties sheet. For example, you could grant the group permission to read and write general information, but not personal information. Click Next.
   Click to see Figure 3
6. The last screen in the wizard summarizes the changes you’re about to make. Personally, I really like this screen, because sometimes working with the wizard can get a little confusing. The summary screen details what you’ve done in an easy-to-understand manner. It also gives you one last chance to go back and correct any mistakes you might have made. If you like your changes, click the Finish button, and the changes will be submitted.

Granting special privileges

As I mentioned earlier, sometimes you may need to grant privileges besides just the ability to read or write personal information. For example, you may need to delegate some ability to further manage users without giving full administrative permissions. The portion of the wizard that we just looked at makes doing so easy. For example, you can assign a group permission to delete an account but not to create one. This ability could come in very handy for the Human Resources department, which might want to quickly delete a user account if they found out an employee was being fired. If you wanted to, you could even give a group full control over user accounts without giving them access to anything server-specific, such as the ability to create trust relationships or add machines to the domain. //