|
|
Finding Active Directory objects in an enterprise is accomplished through the Microsoft Management Console. If Find is invoked from within a specific snap-in, as shown in Figure 6.21, the items managed by the snap-in will appear in the Find window and searches will center on that branch of the Active Directory. If it is not clear where the object is located, you can use the Directory Management snap-in. The interface for finding an object is straightforward and requires no further explanation.
The security model of the Active Directory mirrors to a large extent Windows Server 2003 NTFS. A security descriptor defines which users and groups are assigned permissions to an object. Every object has an access control list (ACL) that contains information about who has access to it and what they can do with it. For every user or group, specific levels of permission can be assigned. As a general rule, at least one user will have full control over an object, but full control for all users is seldom recommended. Where no permission is granted, that object becomes unavailable to the user or group. Also, when permission is specifically denied, all other rights are overridden. For example, a user can belong to a group that has permission to use a network resource, but if that user is specifically denied permission, any rights to that resource granted to him as a group member are canceled.
By default, an object inherits the permission rights of its parent. One use of the organizational unit is to group objects with the same permissions.
Access control lists are discussed in greater depth in Chapter 7. The ACL is managed through a user interface that permits simplified component creations and editing. Windows Server 2003 provides enhancements to the standard access control list editor user interface (ACLUI), including:
Reset permissions to a default.
Show effective permissions for a selected security principal.
Indicate the parent from which permission was inherited.
Check box to indicate the existence of additional permissions
Editing is accomplished by selecting the Properties tab of any file, Registry key, and Active Directory object. Select the Security tab and make appropriate changes.
New to Windows Server 2003, Object Picker is a user-interface component that allows the selection of one or more users, computers, groups, or contacts from Active Directory services. The new components include administrator workflow optimization, which facilitates rapid location of objects. This feature should reduce impact of the directory service network in terms of both speed (time) and overall utilization (space). The Object Picker provides the ability to scope a search down to a specific OU using a more flexible query function. This new function is available from the Active Directory Users and Computer Snap-in.
 |
|
|
| Top |