Welcome to the 12th installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This installment is going to review the Windows 2000 Active Directory Delegation of Authority - Assigning Permissions, which is going to specifically cover Assigning Permissions to Active Directory Objects.
By delegating control of the day to day administration at the organizational unit level in your domains throughout your Windows 2000 Forest to other responsible domain members and junior administrators, you allow for decentralized administrative operations closer to the worker level, and you allow for more seasoned Administrators to concentrate on Enterprise wide services and issues.
You can use permissions to grant administrative control to a specific user or groups of users so that they can administer a single organizational unit or an entire hierarchy of organizational units, depending on your needs and the detail of delegation your Enterprise requires.
You can allow or deny permissions for every object in Active Directory as long as you are the owner of that object. Permissions can be set both implicitly or explicitly, and they can be allowed or denied and can be set as standard permissions or as special permissions.
[NOTES FROM THE FIELD] - Domain and Enterprise Administrators have the rights to allow or deny permissions for every object in Active Directory, in addition to any other owners that may own the objects.
The permissions on all Active Directory objects are stored in that object's DACL (Discretionary Access Control List). Each individual permission that is set, both allow and deny, is contained in an ACE (Access Control Entry).
[NOTES FROM THE FIELD] - In order to view the Security tab of an object and/or to see other advanced views in the Active Directory Users and Computers MMC, you need to select VIEW and then choose Advanced Features.