Overview
Object Security in Active Directory
Active Directory Security Components
Security Principals
User, security group, service, and computer
Identified by a unique ID
Security Identifiers (SIDs)
Uniquely identify security principals
Are never reused
Security Descriptors
Security information associated with an object
Contains DACLs and SACLs
Discretionary and System Access Control Lists
Discretionary and System Access Control Lists
Identifies the security principals that are allowed or denied access, and the level of access being allowed or denied
System Access Control List (SACL)
Controls how object access will be audited
Access Control Entries
Used in a DACL to deny access
Used in a DACL to allow access
Used in a DACL to deny or allow access to a property or property set or to limit inheritance to a specified type of child object
Inheritance
Eliminates the need to manually apply permissions to child objects
Ensures that the permissions applied to a parent object are applied consistently to all child objects
Ensures that when permissions on all objects within a container need to be changed, you only need to change the permissions on the parent object
Ensures that when ACEs are directly applied to Active Directory objects, the ACEs override any conflicting inherited ACEs
The Logon Process
User Logs On
Local Security Subsystem Obtains a Ticket for the User
Local Security Subsystem Requests a Workstation Ticket
Kerberos Service Sends a Workstation Ticket
Local Security Subsystem Constructs an Access Token
Access Token Is Attached to the User’s Process
Access Tokens
Are created during the logon process and used whenever a user attempts to gain access to an object
Contain a SID, a unique identifier used to represent a user or a group
Contain Group ID, a list of the groups to which a user belongs
Contain user rights, the privileges of a User
How Windows 2012 Grants Access to Resources
Controlling Access to Active Directory Objects
Active Directory Permissions
Can be allowed or denied
Can be implicitly or explicitly denied
Can be set as standard or special permission
Controlling Inheritance of Permissions
Objects Inherit Permissions That Exist at the Time of Creation
Inheritance of Permissions Can Be Blocked
Copy previously inherited permissions to the object
Remove previously inherited permissions from the object
Setting Active Directory Permissions
Object Ownership
Every Object Has an Owner
The Owner Controls How Permissions Are Set on an Object, and to Whom Permissions Are Assigned
If a Member of the Administrators Group Takes Ownership, the Default Owner Is the Group, Not the Individual User
Changing Object Ownership
The current owner assigns the Modify Ownership permission to other users
Members of the Domain Admins group take ownership of any object in the domain
Delegating Administrative Control of Active Directory Objects
Overview of Delegating Administrative Control
Changing properties on a particular container
Creating and deleting objects of a specific type under an organizational unit
Updating specific properties on objects of a specific type under an organizational unit
Using the Delegation of Control Wizard
Start the Delegation of Control Wizard
Select Users or Groups to Which to Delegate Control
Assign Tasks to Delegate
Select Active Directory Object Type
Assign Permissions to Users or Groups
Guidelines for Delegating Administrative Control
Assign Control at the OU Level
Use the Delegation of Control Wizard
Track the Delegation of Permission Assignments
Follow Organizational Guidelines for Delegating Control
Customizing MMC Consoles
Creating Customized MMC Consoles
Open MMC
Add and configure the required snap-ins in the MMC console
Configure the MMC console mode
Configure the MMC console view
Save the MMC console
Distributing Customized MMC Consoles
Installing Windows 2012 Snap-ins
Are contained in Windows 2012 administrative tools
Are required for remote administration from a client computer running Windows 2012 Professional
Setting Up Taskpads
What Is a Taskpad?
Is a Customized Administrative Tool
Contains Tasks That Are Shortcuts to Specific Commands in an MMC Console
Provides Advantages:
Makes it easier for novice users to perform their jobs
Makes complex tasks easier
Creating and Configuring a Taskpad
Create a customized MMC console
Create a taskpad
Configure a task in the taskpad
Customize the taskpad view
Adding Tasks in a Taskpad
Each Task Is a Shortcut to a Command in the MMC Console
Best Practices
Use Deny Permissions Sparingly
Ensure That the Delegated User Completes the Delegated Tasks
Provide Training for Users Who Have Control of Objects
Add Frequently Used Customized Consoles to the Start Menu
Save Copies of Your Customized Consoles in a Shared Folder
Delegate to Groups and Add Specific Users to Those Groups