Get started Bring yourself up to speed with our introductory content.

AD permissions

This excerpt from Chapter 5 of "The definitive guide to Windows 2000 security" explains how to set permissions in Active Directory.

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.

AD permissions

Just as you can set permissions on NTFS objects, you can also set permissions on objects in AD. You access the permissions on an AD object in pretty much the same way as for any other object: Right click the object, choose Properties from the shortcut menu, then click the Security tab. The basic permissions on a user object are shown in Figure 5.7.

Figure 5.7: The basic AD permissions dialog box for a user object.

When you administer AD, you'll often use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. If you find that when you view the properties of an object, the Security tab isn't present, you'll need to make a quick configuration change to the snap-in. This change is required because Windows 2000 considers viewing the security settings of an AD object to be an advanced feature. To enable the Security tab and the other advanced features of the snap-in, choose View, Advanced Features.

Like the basic NTFS permissions dialog box, the basic AD permissions dialog box's Security tab shows you only the basic permissions that are available to control access to AD objects. Again, to access all the permissions for an AD object, click Advanced in the basic permissions dialog box, then click View/Edit. A list appears of permissions that can apply to a number of objects, as shown in Figure 5.8. If the object is a container, the list includes permissions that apply to the object (the container), child objects (objects in the container), and a subset of child objects (for example, only User objects).

Figure 5.8: The full AD permissions dialog box for a user object.

The fact that a container shows you the permissions that can apply to a number of different objects is one of the big differences between permissions on an NTFS volume and permissions in AD. When you own a folder on an NTFS volume and can set permissions on it, they also apply to all the objects (such as files) in the folder. For example, let's say that you give the GoodFellas security group Read permission on a folder. When you apply the permission, on the advanced NTFS permissions dialog box, you select This folder, subfolders and files from the Apply onto text box so that the permission propagates to all the objects in the folder. The GoodFellas group now has access to the complete tree of objects that starts with the folder that you originally set the permission on.

Propagating permissions doesn't work in quite the same manner for objects in AD. When you own a container in AD, you can allow certain types of access to objects in the container without granting access to other child objects. Think about owning an organizational unit (OU). You can add permissions to an OU that let the GoodFellas group read its contents and apply particular permissions to certain types of child objects. For example, if you set a permission on a User object, it will flow down only to other User objects, not to other objects such as other OUs, group objects, or contact objects. This feature allows permissions in AD to be object-specific; it isn't a capability that is shared with the permissions on an NTFS volume.

In addition to setting permissions on objects in AD, you can set them at the attribute level. When you set permissions to allow or deny access at the object level, they apply to the entire object. For example, you can set object-level permissions on an OU to allow the GoodFellas group to create child objects in the OU. When you set permissions to allow or deny access at the attribute level, they apply only to the specific attribute of the object. An example is setting attribute-level permissions on the Home Phone property of a User object so that only you can change the value of the attribute.

You can set attribute-level permissions on an AD object by right-clicking the object, selecting Properties, clicking Advanced on the resulting dialog box, selecting one of the permissions, then clicking View/Edit. Figure 5.9 shows the resulting Properties tab (remember that properties and attributes are synonyms).

Figure 5.9: Modifying the attribute-level permissions on a User object.

Even with the grand list of permissions shown in this dialog box, the dialog box doesn't list every attribute, only the commonly used attributes that Microsoft thinks you'll want to control access to. That this list is abridged is actually a desirable quality because the number of attributes that an object can have can be very large, so the UI filters out object types and attributes to keep things easier to manage.

You can control the behavior of object and attribute filtering by modifying the Dssec.dat file, which is in the %Systemroot%/System32 folder on every domain controller. By adding or removing items from the list, you can control the filtering action of AD objects and attributes by the Windows 2000 UI.

Miscellaneous permissions

While I've taken a quick look at the two predominant types of permissions that you'll work with in Windows 2000, there are obviously many more securable objects available in Windows 2000. So although I've only talked about the securable objects on an NTFS volume and in AD, you should have a good understanding at this point of what permissions are and how you can manipulate them.

But let's talk very briefly about securable objects and what the term means. Simply put, if an object is securable, you can set permissions on it. That's all there is to it, really, so if you encounter an object and you're not sure whether it's securable, see if it has a permission that you can set.

Click for the next excerpt in this series: user rights

Click for the book excerpt series or get the full e-book.

Dig Deeper on Windows systems and network management