-------------------------------------------------------------------- SearchWin2000.com's Active Directory Tip -------------------------------------------------------------------- TODAY'S ADMINISTRATOR TIP: Using access control inheritance ==================================================================== SPONSORED BY: NetIQ ==================================================================== FREE ACTIVE DIRECTORY TOOL Get essential, real-time diagnostics for Microsoft Active Directory with NetIQ's ADcheck -- your powerful, free diagnostic tool. With ADcheck, you can quickly check domain controllers, domains and replication. After the first test, you'll wonder how you ever got along without it. Download your FREE copy now at http://www.netiq.com/sponsor/default.asp?251 ==================================================================== "Using access control inheritance" By Kevin R. Sharp By controlling how Active Directory allows security properties to be inherited, you can save yourself a lot of work. Procedure: Every Active Directory object has associated with it a "security descriptor" property that protects the object. Within the security descriptor you can control a "discretionary access control list" (DACL) that in turn contains a list of "access control entities" (ACEs). It's those ACEs that protect the object. Each ACE grants or denies access to specified property of the object to a user or group. If you're interested in the gory details, see the Access Control Model page on the Microsoft Developer's site (http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/winbase/accctrl_9xkc.htm), which provides links to some great detailed discussions of the mechanisms at work, including the interaction between threads and securable objects. Each time you want to change the access control settings of an object you need to manipulate the "nTSecurityDescriptor" property of the object using a 10-step procedure spelled out at http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/adsi/glsecur2_8hpw.htm. In practice, you would not explicitly manipulate the access control properties of every object, you would rely on inheritance to do it for you instead. By controlling how Active Directory objects inherit ACEs, you can allow the system to automatically set the security status of objects as users create them. The easiest way to administer access control is by establishing the access rules high up in the object tree and then allowing inheritance to propagate the rules down the tree as objects are added. For example, you can add a collection of ACEs to the DACL of an organization unit object and have those security parameters inherited by every object created as a child of the organizational unit. Every time you create an Active Directory object, a security descriptor is created for the object whether you explicitly specify one or not. If you do not specify a descriptor, the new object inherits all the ACEs from its parent object, plus any ACEs from the default DACL. If you don't want a child to inherit ACEs, set the SE_DACL_PROTECTED bit in the security descriptor's control register. You can also control inheritance of permissions on a per-ACE basis using AceFlags: - ADS_ACEFLAG_INHERIT_ACE This flag causes the ACE to be inherited down in the tree. - ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE This flag causes the ACE to be inherited down only one level in the tree. - ADS_ACEFLAG_INHERIT_ONLY_ACE This flag causes the ACE to be ignored on the object it is specified on and only be inherited down and be effective where it has been inherited. -------------------------------------------------------------------- Kevin Sharp is president of Accurate Information Inc. He has years of experience as a system administrator with various operating systems, and is a member of the Institute of Electrical and Electronic Engineers. ==================================================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DID YOU LIKE THIS TIP? ==================================================================== Whether you loved it or hated it, why not let us know? Just email us at mailto:[EMAIL PROTECTED]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ==================================================================== FEATURED BOOK ==================================================================== "Mission-Critical Active Directory Architecting a Secure and Scalable Infrastructure" Author: Micky Balladelli and Jan De Clercq Publisher: Digital Press Published: March 2001 Learn from Compaq's own Active Directory experts techniques and best practices for creating a secure and scalable network foundation for Windows 2000 and Exchange 2000. http://www.digitalguru.com/dgstore/product.asp?isbn=1555582400&ac_id=73 ==================================================================== VISIT OUR DISCUSSION FORUMS! ==================================================================== Deadonit is having problems adding a new user to Active Directory. Can you help? Go to http://searchwin2000.discussions.techtarget.com/WebX?[EMAIL PROTECTED]^[email protected]/147 ==================================================================== If you would like to sponsor this or any techtarget newsletter, please contact Gabrielle DeRussy at [EMAIL PROTECTED] ==================================================================== If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchWin2000.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
