Working with Directory Permissions in a Windows 2000 Network
Being an administrator within a Windows 2000 domain is no longer the same as being an administrator within a Windows NT domain. First and foremost, the administrator tag name no longer grants you minor-deity-like status. You no longer need to grant all your network management assistants the capability to bring your entire organization to its knees with a bad keystroke. Instead, you can create organizational units (OUs) and delegate administrative capabilities over those OUs to select users without granting them any additional control or capability over any other part of the domain.
Microsoft developed this concept of delegated authority to help reduce the tasks required by a single individual. Here’s how you do it: Create OUs over departments and grant department heads administrative privileges over their OUs; then place the department heads in a OU based on section managers and grant a section manager administrative privileges over that OU; then group section managers by divisions and place a division manager and so on. Eventually, you delegate administrative control over users, groups, computers, printers, shared folders, and more to others, which means that you, as the domain administrator, need to bother only with really pressing issues, such as installing new domain controllers, creating trusts, or rebuilding the entire network after a fire.
Beauty is in the details
Access Control Lists (ACLs) were present within the Windows NT domain concept. As part of its properties, each object has a list of users and groups that have specific levels of access granted or denied to them. Windows 2000 has taken this idea and gone ballistic with it. Now, each object not only has a master ACL for object access, but each attribute and property on an object has its own distinct ACL. You can now control on an extremely fine level who can do exactly what to which objects. You could assign one user the capability to change telephone numbers on all users in the Sales OU but not grant that user the capability to manage any other aspect of those objects. You could drive yourself and your users insane with the level of detailed control that Windows 2000 offers you.
Handing out permissions
Managing permissions on Active Directory objects is similar to managing permissions on files, shares, and printers. Instead of taking place within Windows Explorer, My Computer, or the Printers folder, it takes place within the Active Directory Users and Computers tool. Up until now, you’ve been using this tool half-blind. You probably didn’t even know that you had a command to essentially amplify the capabilities of this tool. If you choose the View –> Advanced Features command from the menu bar, many other containers, commands, and properties details become accessible.
Select any object from any container and open its Properties dialog box; then select its Security tab. You see a familiar interface listing users and groups assigned permissions to this object, a list of permissions specific to this object type, columns of Allow and Deny check boxes, an Advanced button, and a check box regarding inheritance. This interface functions exactly like the ones that you see in managing files. The amount of detail offered here and through the Advanced button (where you can set more detailed permissions and manage auditing and ownership) is mind-boggling. If you’re a control freak, this OS is the one for you!
Delegating control over OUs
Delegating administrative control over OUs is deceptively simple; just follow these steps:
1. On a Windows 2000 Server domain controller, click the Start button and choose Programs –> Administrative Tools and then any of the Active Directory tools.
2. Expand the containers to locate the site, domain, or OU that you want to delegate and select that object.
3. Choose Action –> Delegate Control.
4. Click Next on the Delegation wizard that appears.
5. Click Add.
6. Locate and select a user or group to grant admin control to this object and then click Add.
7. Repeat Steps 5 and 6 to add other users or groups.
8. Click OK and then Next.
9. Select the scope of the delegation to either this container and all objects within this container existing now and created in the future or to limit it to specific types objects by check boxes; click Next.
The items in this list are specific to the OU type selected back in Step 2.
10. Select which permissions that you want to delegate control over; click Next.
You need to select the permission groupings and the individual specific permissions.
A summary of the delegation appears.
11. Click Finish.
That’s it. Now the specified OU has a new master. As a local or domain administrator, you can still directly manage that OU, but the newly defined delegated administer can be called on to perform those redundant and mundane tasks that you’ve hated for so long. With a little planning and ingenuity, you can have your users doing most of your work!