There are a million reasons why you might want to regulate the Active Directory under Windows 2000. In this article, I’ll discuss some situations in which the default Active Directory permissions might not be appropriate. I’ll then go on to explain how to make some security changes. Before we begin Before we get started, it’s […]
There are a million reasons why you might want to regulate the Active Directory under Windows 2000. In this article, I’ll discuss some situations in which the default Active Directory permissions might not be appropriate. I’ll then go on to explain how to make some security changes. Before we begin Before we get started, it’s important to have a little bit of background about Active Directory. As you’re no doubt aware, Active Directory is a database that Windows 2000 uses to maintain various aspects related to the network. For example, all the user accounts are stored in the Active Directory. These accounts contain the traditional features, such as passwords and account policies, all of which are maintained within the Active Directory. However, unlike the Windows NT Security Accounts Manager, Active Directory is also useful from an end-user perspective–the Active Directory can contain a wealth of information about each user. For example, you can specify a user’s department, phone number, birthday, or any other information you want people to know. It’s possible to use the Active Directory database as a company directory. Why restrict access? Because of the type of information the Active Directory stores and can store, you may not want everyone to have access to everything. For example, suppose you use the Active Directory as a company directory. You probably want everyone to be able to read the company directory–but you don’t want just anyone to be able to change it. For example, you wouldn’t want a user to change another user’s phone number. Each user should only have access to change his or her own information. Likewise, you’ll probably want to hide certain fields from most users. For example, you might restrict the home phone number field to managers or to the human resources department. As I mentioned, the Active Directory’s primary purpose is to manage various aspects of the operating system. Of course, this portion of the Active Directory is restricted by default. However, in some situations you may want to grant access to a portion of the system side of the Active Directory to various users. For example, suppose you decide that you want your help desk to be able to reset passwords, but you don’t want to give them full administrative access. You can accomplish this by granting them access to a portion of the Active Directory, rather than adding them to the Administrators group or the Account Operators group. Similarly, in a large company, a department may have a computer-savvy manager who is willing to take responsibility for managing that department’s user accounts. Depending on the structure of your Active Directory, you can grant the manager permission to change passwords for his department only. You can also grant permission for that manager to add users to the groups associated with that department. By doing so, you’ve removed some of the administrative burden from the IT staff without jeopardizing your network’s security. Basically, with Active Directory, it’s easy to give users control over the aspects that you want them to control without granting them access to anything extra. Setting Active Directory security Now that we’ve discussed why you might want to change some of your Active Directory permissions, let’s take a look at how to do so. Unfortunately, space limitations prevent me from discussing all the intricacies of Active Directory security in this article. For now, let’s look at a method for allowing your help desk staff to reset passwords without granting them excessive permissions. Follow these steps:
You can use the Delegation Of Control wizard to easily add a permission that allows members of the Help Desk group to reset passwords, without giving the group full administrative privileges. If you need to grant someone authority beyond just the simple tasks listed in the Tasks To Delegate screen, you can select the Create A Custom Task To Delegate radio button and then click Next. Doing so will present you with a series of screen that let you delegate any user right or combination of rights that you can possibly imagine. // Brien M. Posey is an MCSE who works as a freelance writer and as the Director of Information Systems for a national chain of health care facilities. His past experience includes working as a network engineer for the Department of Defense. You can contact him via e-mail at Brien_Posey@xpressions.com. Because of the extremely high volume of e-mail that Brien receives, it’s impossible for him to respond to every message, although he does read them all.
Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
