Active Directory: Modifying Default Permissions

Sometimes it's useful to change the default permissions in your Windows 2000 Active Directory setup. This article tells you why you might want to change these defaults.

By Brien M. Posey | Posted Aug 12, 2000
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

In case you missed Part 1

In the first article, I discuss a variety of situations in which it might be beneficial to change the permissions on the Active Directory. As you probably know, the Active Directory is actually nothing more than a database. As with most databases, you can store any information you want in the Active Directory. For example, some companies actually store human resources information such as positions and salaries within the Active Directory. Naturally, in such a situation you'd want to closely guard who has permission to see this information.

Even if you only store basic information such as names, addresses, and phone numbers in the Active Directory, and you don't care who sees it, you'll want to control who can change it. For example, it's no big deal if a user moves and wants to update his own information. However, not just anyone should be able to change information at will.

The article " Active Directory: Allowing or Denying Access " explains how to modify the permissions on the Active Directory to allow the users at your help desk to change passwords without granting them full administrative privileges. In this article, I'll continue discussing the topic and explain some other situations in which you might want to modify the default permissions to the Active Directory.

Protecting confidential information

Normally, the personal information in the Active Directory is relatively well protected from change. Only the owner or a member of the Administrators group can make changes to the information. In some situations, you'll want to grant someone permission to view or change specific information. To perform such tasks, you'll need to use the Active Directory Users and Computers program. You can find this tool on the Start menu under Programs|Administrative Tools. When the program begins, follow these steps:

  1. Select the Domain Controllers folder from the column on the left. Right-click on the folder and select Delegate Control from the resulting context menu. When you do, you'll see the Delegation of Control Wizard.

  2. Click Next to begin the wizard. The next screen asks for the users or groups to which you want to apply your security changes. As with all security-related issues in Windows 2000, you should apply your changes on a group basis. Therefore, if you're setting up permissions to view or change information, you might go back and create a group with a name like ViewPersonalInfo or ChangePersonalInfo. When you've selected the group that you want to work with, click Next.

  3. The next screen allows you to delegate some common tasks such as the ability to manage group policies or user accounts or the ability to reset passwords. As you can see in Figure 1, one of the choices on this screen is the option to Read All User Information.

    Click to see Figure 1

    This option works fine if you only need to grant read access and you want the group to be able to see everything. However, in some situations you need a little more control. If this is the case, select the Create A Custom Task To Delegate radio button and click Next. When you do, you'll see a screen asking if you want to delegate control of This Folder or Only The Following Objects In The Folder. Select the Only The Following Objects radio button. When you do, the area below the radio buttons will become accessible. Select the User Objects check box, as shown in Figure 2, and click Next.

    Click to see Figure 2

  4. The next screen contains a list of all the specific permissions you can grant to user objects. To make all objects visible to you, select the General, Property-Specific, and Creation/Deletion of Specific Child Objects check boxes from the top portion of the screen.

  5. Scroll through the available choices. As you can see in Figure 3, you can grant permissions for the group to read and/or change any of the user information fields, such as employee ID number, e-mail address, or fax number. If you'd prefer a shortcut, options are available at the top of the list to read all properties or write all properties. You can also set permissions based on the individual tabs within the Users Properties sheet. For example, you could grant the group permission to read and write general information, but not personal information. Click Next.

    Click to see Figure 3

  6. The last screen in the wizard summarizes the changes you're about to make. Personally, I really like this screen, because sometimes working with the wizard can get a little confusing. The summary screen details what you've done in an easy-to-understand manner. It also gives you one last chance to go back and correct any mistakes you might have made. If you like your changes, click the Finish button, and the changes will be submitted.

Granting special privileges

As I mentioned earlier, sometimes you may need to grant privileges besides just the ability to read or write personal information. For example, you may need to delegate some ability to further manage users without giving full administrative permissions. The portion of the wizard that we just looked at makes doing so easy. For example, you can assign a group permission to delete an account but not to create one. This ability could come in very handy for the Human Resources department, which might want to quickly delete a user account if they found out an employee was being fired. If you wanted to, you could even give a group full control over user accounts without giving them access to anything server-specific, such as the ability to create trust relationships or add machines to the domain. //

Brien M. Posey is an MCSE who works as a freelance writer and as the Director of Information Systems for a national chain of health care facilities. His past experience includes working as a network engineer for the Department of Defense. You can contact him via e-mail at Brien_Posey@xpressions.com. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter