	Sign In Sign-Up

STANDARD AND SPECIAL PERMISSIONS

The Active Directory supports two types of permission: standard and special. The five standard permissions, which may be applied in any combination to a user or group, are:

Read. The user can see the object and attributes, can identify its owner, and has other permissions where applicable.
Write. The user can change the object's attributes.
Create Child Objects. The user can create child objects in an OU.
Delete Child Objects. The user can remove child objects.
Full Control. The user can perform any action on the object, including taking full control.

Special permissions are extensions to the standard permissions and vary for each object.

Setting and Viewing Object Permissions

The security permission settings can be viewed for every object from its Properties dialog. The properties for all objects can be retrieved from the Active Directory Schema snap-in. To retrieve and set object permissions, the following steps should be taken (Figure 6.22):

Open the Active Directory Schema snap-in.
Open the Classes folder.
Right-click the targeted object class.
In the Properties dialog box, select the user or group for which permissions are to be set, Add or Remove a user or group to provide new permissions.
Click the desired Permission.
Repeat these steps for each user or group for which permissions are to be modified.
Click OK to complete.

Figure 6.22. Setting Object Permissions

graphics/06fig22.jpg

To simply view the special permissions assigned to an object, click Advanced and double-click Permissions (Figure 6.23). Changes in this list can then be applied by clicking or clearing the boxes to designate special permission.

Figure 6.23. Reviewing Permission Settings

graphics/06fig23.gif

Permission Inheritance and Preventing Inheritance

By default, permissions are inherited from parent objects, which means that rather than have to set all permissions for every object, the system administrator can rely on the fact that permissions set on a parent object will filter down the object tree. Sometimes this facility needs to be short-circuited, accomplished as follows:

Open the Active Directory Schema snap-in.
Right-click Active Directory Schema and click Permissions.
On the Security tab, click the group whose permissions you want to change.
In Permissions, select Allow or Deny for the permissions you want to change.
Alternatively, remove the check mark at the bottom of the Permissions dialog that states, Allow inheritance permissions from the parent to propagate to this object.

Top