Contents Overview 1 Introduction to Delegating Administrative Control 2 Controlling Access to Active Directory Objects 3 Delegating Administrative Control of Active Directory Objects 9 Lab A: Delegating Administrative Control 15 Managing Computer Accounts 23 Customizing MMC Consoles 28 Setting Up Taskpads 33 Lab B: Creating Custom Administrative Tools 38 Review 43 Module 10: Delegating Administrative Control Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, places or events is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles. The publications specialist replaces this example list with the list of trademarks provided by the copy editor. Microsoft, MS-DOS, Windows, and Windows NT are listed first, followed by all other Microsoft trademarks listed in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. <The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor> The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 10: Delegating Administrative Control iii Instructor Notes The Active Directory ™ directory service provides administrators with a high degree of control over who has access to information in Active Directory. By managing the permissions on directory objects and properties, administrators can precisely specify which accounts can gain access to Active Directory and the level of access that these accounts have. This precision enables administrators to delegate specific authority over portions of Active Directory to groups of users, without making the information in Active Directory vulnerable to unauthorized access. The ability to delegate relieves the burden of centralized administration. Controlling access and delegating administrative authority to Active Directory objects is important, especially when developing a decentralized administrative model. After completing this module, students will be able to: ! Describe key concepts for delegating administrative control. ! Control access to Active Directory objects. ! Delegate administrative control of Active Directory objects. ! Manage computer accounts. ! Create and deploy customized consoles. ! Use and configure taskpads. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the Microsoft ® PowerPoint ® file 2126a_10.ppt. Preparation Tasks To prepare for this module: ! Read all of the materials for this module. ! Complete the labs. ! Read the white paper, Microsoft Management Console: Overview, under Additional Reading on the Web page on the Student Materials compact disc. Presentation: 60 Minutes Lab: 60 Minutes iv Module 10: Delegating Administrative Control Module Strategy Use the following strategy to present this module: ! Introduction to Delegating Administrative Control Ensure that students understand that the delegation of administrative roles is achieved only by using permissions, even when using the Delegation of Control Wizard. Emphasize the ease with which tasks can be distributed to lower-level administrators and users, and the importance of documenting the assignment of permissions to aid troubleshooting. ! Controlling Access to Active Directory Objects Introduce the permissions that are applied to objects in Active Directory. Illustrate how to control inheritance of permissions in Active Directory and demonstrate how to assign permissions. ! Delegating Administrative Control of Active Directory Objects Introduce how to delegate administrative control at the organizational unit level in Active Directory. Demonstrate how to assign permissions at the organizational unit level by using the Delegation of Control Wizard, and identify the guidelines for delegating administrative control of objects in Active Directory. ! Managing Computer Accounts Students are likely to be more familiar with user accounts than with computer accounts. Compare and contrast user accounts and computer accounts throughout this topic to reinforce the information presented. Demonstrate how to reset and pre-create computer accounts. ! Customizing MMC Consoles Introduce how to customize Microsoft Management Console (MMC) consoles. List the tasks for customizing an MMC console and demonstrate how to create and customize an MMC console. Illustrate the procedures for distributing customized MMC consoles and installing snap-ins in Microsoft Windows ® 2000. ! Setting Up Taskpads Introduce the setting up of taskpads. Describe a taskpad and show students what a completed taskpad looks like. Explain the procedures for creating and configuring a taskpad, and adding tasks in a taskpad. Module 10: Delegating Administrative Control 1 Overview ! Introduction to Delegating Administrative Control ! Controlling Access to Active Directory Objects ! Delegating Administrative Control of Active Directory Objects ! Managing Computer Accounts ! Customizing MMC Consoles ! Setting Up Taskpads The Active Directory ™ directory service provides administrators with a high degree of control over who has access to information in Active Directory. By managing the permissions on directory objects and properties, administrators can precisely specify which accounts can gain access to Active Directory and the level of access that these accounts have. This precision enables administrators to delegate specific authority over portions of Active Directory to groups of users, without making the information in Active Directory vulnerable to unauthorized access. The ability to delegate relieves the burden of centralized administration. Controlling access and delegating administrative authority to Active Directory objects is important, especially when developing a decentralized administrative model. Higher-level administrators may delegate responsibility to you, or you may want to delegate responsibility to other users. After completing this module, you will be able to: ! Describe key concepts for delegating administrative control. ! Control access to Active Directory objects. ! Delegate administrative control of Active Directory objects. ! Manage computer accounts. ! Create and deploy customized consoles. ! Use and configure taskpads. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn how to delegate administrative control of Active Directory objects. 2 Module 10: Delegating Administrative Control Introduction to Delegating Administrative Control ! Decentralize administration ! Assign permissions to OU ! Delegate the following types of control: " Assign all permissions for an OU " Assign permissions to modify specific attributes Domain OU1 OU2 OU3 Admin1 Admin2 Admin3 Delegating administrative control allows you to decentralize administration by distributing the task of administering objects among several individuals. You can delegate administrative control of objects by assigning permissions to the objects that allow users or groups of users to administer them. Because managing permissions at the organizational unit level is easier than tracking managing permissions on individual objects, the delegation of administrative control is performed at the organizational unit level. For example, you can delegate administrative control by assigning the Full Control permission for an organizational unit to a departmental administrator in his or her area of responsibility. By delegating control of the organizational unit to the departmental administrator, you decentralize administrative operations. This reduces your administration time and costs by distributing administrative control closer to its point of service. Consider the following strategies for assigning permissions: ! Assign all permissions for a specific organizational unit, which includes the permissions to create or modify objects in that organizational unit. For example, you can delegate administrative control to create user accounts and computer accounts, or to modify the attributes of user accounts and computer accounts. ! Assign the permissions to modify specific attributes of an object or to perform specific tasks, such as assigning the permission to reset passwords on user accounts. The permissions assigned for administration must always be clearly documented to assist in troubleshooting. Slide Objective To describe the purpose of delegating administrative control of objects. Lead-in You delegate administrative control of objects by assigning permissions to the objects that allow users or groups of users to administer them. Key Points You can decentralize administration by delegating specific tasks to other administrators. Delegation of administrative control at the organizational unit level enables you to track permissions easily. Tip Module 10: Delegating Administrative Control 3 # ## # Controlling Access to Active Directory Objects ! Active Directory Permissions ! Controlling Inheritance of Permissions ! Setting Active Directory Permissions To control which objects specific users have access to in Active Directory, you must decide what permissions are required, which object or objects those permissions will apply to, and which users or groups must have those permissions. Slide Objective To introduce ways in which access to Active Directory objects is controlled. Lead-in You can use permissions to grant administrative privileges—for an organizational unit, a hierarchy of organizational units, or a single object—to a specific user or group. 4 Module 10: Delegating Administrative Control Active Directory Permissions Access Control Settings for Domain Controllers Permissions Owner Permission Ent ries: Type Name Permission Allow Allow Allow Allow Allow Authenticated Users Special Domain Admins… SYSTEM Administrators… Enterprise Admins… Special Full Control Special Full Control This permission is defined directly on this object. This permission is not inherited by child objects. Ad d . Remove View/Edit . Auditing Apply to This object only This object only This object only This object and all child… This object and all child… Allow inh eritable permissions from parent to propagate to this object. Permissions: " Can be allowed or denied " Can be implicitly or explicitly denied " Can be set as standard or special permission A permission is an authorization assigned by an owner so that users can perform an operation on a specific object, such as a user account. If you own an object, you can assign user or security group permission to perform some or all of the tasks that you are authorized to do. The permissions on each object are stored in a discretionary access control list (DACL). Each individual permission is contained in an access control entry (ACE). ACEs are stored in the DACL. Users can view ACEs in the Access Control Settings dialog box, under Permission Entries. Allowing and Denying Permissions You can allow or deny permissions. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. For example, if you deny permission for a user to gain access to an object, the user will not have that permission, even if you allow the permission for a group of which the user is a member. Deny permissions only when it is necessary to remove a permission that a user may have been assigned through a group membership. There is one exception to the rule that denied permissions take precedence over allowed permissions: An explicit Allow permission on an object takes precedence over an inherited Deny permission. You can visually distinguish between explicit ACEs and inherited ACEs by checking the color of the key icon to the left of the ACE name. The icon for explicit ACEs is yellow; the icon for inherited ACEs is gray. Slide Objective To describe how permissions are applied in Active Directory. Lead-in You control access to network resources by assigning permissions. Delivery Tip Demonstrate how to view the permissions for an object by using the Access Control Settings dialog box. Use the Permission Entries tab to show the assigned permissions. Key Points You can allow or deny permissions for every object in Active Directory. Permissions can be implicitly or explicitly denied. Important Module 10: Delegating Administrative Control 5 Implicit or Explicit Permissions You can implicitly or explicitly deny permissions as follows: ! When permission to perform an operation is not explicitly assigned, it is implicitly denied. For example, if the Marketing group is allowed Read permission on a user object, and no other security principal is listed on the DACL for that object, users who are not members of the Marketing group are implicitly denied access. The operating system does not allow users who are not members of the Marketing group to read the properties of the user object. ! Permissions can also be explicitly denied. For example, it may be necessary to prevent a user named Don from viewing the properties of a user object, even though he is a member of the Marketing group that has permissions to view the properties of the user object. You can prevent Don from accessing the user object properties by explicitly denying him Read permission. This example illustrates the use of explicit denials, which are designed to exclude a subset, such as Don, in a larger group, such as Marketing, from performing a task that the larger group has permissions to perform. Standard and Special Permissions You can set standard permissions and special permissions on objects. Standard permissions are the most frequently assigned permissions. Special permissions provide a finer degree of control for assigning access to objects. The following table lists standard permissions that are available for most objects and the type of access that each permission allows the user to have. Object permission Allows the user to Full Control Change permissions and take ownership, and perform the tasks that are allowed by all other standard permissions. Read View objects and object attributes, the object owner, and the Active Directory permissions. Write Change object attributes. Create All Child Objects Add any type of child object to an organizational unit. Delete All Child Objects Remove any type of child object from an organizational unit. 6 Module 10: Delegating Administrative Control Controlling Inheritance of Permissions ! Objects inherit permissions that exist at the time of creation ! Inheritance of permissions can be blocked " Copy previously inherited permissions to the object " Remove previously inherited permissions from the object Full Control Full ControlOU OU OU Full Control Read Full Control OU OU OU Read Permission inheritance in Active Directory automatically causes objects in a container to inherit the permissions of that container. For example, the files in a folder, when created, inherit the permissions of the folder. This inheritance minimizes the number of times that you assign permissions for objects. When an object is created, the Active Directory schema defines a default set of permissions that will be set on the object. Applying Permissions to Child Objects You can assign permissions so that the permissions apply to the object’s child objects. For example, if you want a user to administer all objects in an organizational unit, assign Full Control permissions to the user, and all child objects will inherit this permission. To indicate that permissions have been inherited, the check boxes in the Permissions dialog box for child objects appear dimmed. Preventing Child Objects from Inheriting Permissions You can prevent permission inheritance so that a child object does not inherit permissions from its parent object. You prevent inheritance when you want to set more restrictive permissions on child objects than on a parent object. When you prevent inheritance, only the permissions that you explicitly assign to the object apply. When you prevent permission inheritance, you can use Microsoft ® Windows ® 2000 to: ! Copy previously inherited permissions to the object. Then, according to your needs, you can make any necessary changes to the permissions. ! Remove previously inherited permissions from the object. Then, according to your needs, you can assign new permissions for the object. Slide Objective To illustrate how to control inheritance of permissions. Lead-in You can use permission inheritance to minimize the number of times you assign permissions for objects. Delivery Tip Explain that when you copy previously inherited permissions, you are starting with the same permissions that the object currently inherits from its parent object. However, any permission for the parent object that you modify after blocking inheritance no longer applies. Demonstrate how to prevent inheritance by using the Security tab in the Properties dialog box for the User organizational unit. [...]... Delegation of Control Wizard page, and then click Finish to close the wizard 14 Module 10: Delegating Administrative Control Guidelines for Delegating Administrative Control Slide Objective To identify guidelines for delegating administrative control of objects Assign control at the organizational unit level Lead-in Here are some guidelines for delegating administrative control Use the Delegation of Control. .. access problems ! Follow the guidelines that your organization uses for delegating control Module 10: Delegating Administrative Control Lab A: Delegating Administrative Control Topic Objective To introduce the lab Lead-in In this lab, you will review the default security settings on components in Active Directory, and delegate control over objects in an organizational unit Explain the lab objectives... objects Key Points You can decentralize administration by delegating specific tasks to other administrators Delegation of administrative control at the organizational unit level enables you to track permissions easily ! Overview of Delegating Administrative Control ! Using the Delegation of Control Wizard ! Guidelines for Delegating Administrative Control Delegation is the ability to assign responsibility... list of object types that you can select to delegate control, including computer objects, group objects, and printer objects After you select an object type to control, click Next to continue Module 10: Delegating Administrative Control 13 5 Assign permissions to users or groups to which you want to delegate control You can use the Delegation of Control Wizard to select the types of permissions that... can result and prevent users from completing tasks Module 10: Delegating Administrative Control 9 # Delegating Administrative Control of Active Directory Objects Slide Objective To introduce the topics related to delegating administrative control of Active Directory objects Lead-in You delegate administrative control of Active Directory objects by assigning permissions to the objects to allow users... need for multiple administrative accounts that have broad authority, such as for an entire domain You can use the predefined Domain Admins group for administration of the entire domain, and delegate responsibility for parts of the domain, such as individual organizational units, to trusted users 10 Module 10: Delegating Administrative Control Overview of Delegating Administrative Control Slide Objective... of Delegating Administrative Control Slide Objective To introduce delegating of administrative control in Active Directory ! Lead-in You can manage a network more efficiently by delegating administrative control to other administrators " Domain " OU1 Admin1 " OU2 The goal of delegating the ability to assign permissions is to conserve administrative effort and cost wherever possible Admin2 OU3 Key Point... organizational unit Admin3 You delegate administrative control by creating organizational units in a domain and delegating administrative control for specific organizational units Windows 2000 contains specific permissions and user rights that you can use to delegate administrative control By using a combination of organizational units, groups, and permissions, you can designate administrative rights to a particular... delegate the right to set a password on a user object Module 10: Delegating Administrative Control 11 Using the Delegation of Control Wizard Slide Objective To illustrate how to assign permissions at the organizational unit level by using the Delegation of Control Wizard Lead-in Assigning permissions to objects and object attributes allows you very detailed control, but it can be cumbersome Most of the time,... Full Control Enterprise Administrators: Full Control Pre-Windows 2000 Compatible Access: Special Print Operators: Special Permissions System: Full Control Group Permission Why are all permission check boxes for some groups cleared? Additional permissions are present, but you cannot view them in this dialog box To view these additional permissions, click Advanced Module 10: Delegating Administrative Control . Important Module 10: Delegating Administrative Control 9 # ## # Delegating Administrative Control of Active Directory Objects ! Overview of Delegating Administrative. guidelines for delegating administrative control. Module 10: Delegating Administrative Control 15 Lab A: Delegating Administrative Control Objectives After