Managing Access to Objects in Organizational Units
In this section, you will learn:
- The Organizational Unit structure
- Modifying permission for Active Directory objects
- Delegating control of Organizational Units
As you have learned in previous tutorials, Organizational Units are a fundamental part of Active Directory. Security and managing access to Organizational Units is essential to have a secure and efficient network architecture. This section teaches you how to manage access to objects within Organizational Units.
The Organizational Unit Structure
Active Directory allows administrators great control over the organization of their directory. This organization gives you flexibility with your environment.
Using Organizational Units and Groups in Active Directory can allow you to tailor AD to meet the needs of your business. There are distinct differences between OUs and Groups. You should properly plan out your AD design to ensure you are following best practices and make an efficient and effective environment.
Organizational Units are designed to be an effective structure to use for security purposes. You shouldn’t use OUs just to create a model of your existing corporate structure (e.g. Marketing, IT, HR, Accounting, etc.) unless you have specific IT groups that manage those departments. You should instead look at a design based on efficient administration. If you have multiple locations and IT groups in those locations supporting those machines, you should probably design one based on geographical requirements and the local administration of individual OUs.
Groups are a more effective method of creating your organizational structure in. For example, you can create separate marketing, IT, HR, or accounting groups for users to distribute emails to or for secure access to resources.
Users can view group members when creating folders and adding security. Typically, end users do not see members of OUs.
The Computers and Users containers you see in Active Directory Users and Computers are not Organizational Units. They are containers which are distinctly different than OUs. Containers have a different security model. Even if your Active Directory environment is just for a small company, we recommend creating OUs to store your computer accounts and user accounts.
Modifying Permissions for Active Directory Objects
By default, you cannot see the security settings for objects in AD in Active Directory Users and Computers. In order to turn this functionality on:
- Open Active Directory Users and Computers.
- Click the View menu.
- Click Advanced Features.
Whenever you choose Properties on
an object, you will see a Security tab on the window.
If you scroll down the list of Group or user names you can view the security permissions for each of the accounts.
Typically, your security is inherited from above. Click on the Advanced button. If the Allow inheritable permissions from the parent to propagate to this object. checkbox is checked, this object is inheriting its permissions from a parent object.
Think of the objects as a tree.
In the diagrammed example, you have a tree of objects in your Active Directory domain. Everything with a solid line inherits (copies) all of the security rights from above. The Users OU has a dotted line, so it does not inherit the security rights but instead has its own settings. In this example, if you make a security change to the domain, every object except for Users will inherit those changes. Since Users has its own security rights, it will not receive a new copy of the updated rights.
Likewise, you cannot change the security on a child object – you must change it on the parent. If you wanted to change a security setting on OU 1, you would need to not allow it to receive settings from its parent and make the change. After the change, any child objects (in the example, the Computers OU) will receive the new changes because it is inheriting its security from its parent, OU 1. However, since Users is not inheriting its rights from OU 1, it will still remain independent keeping its own settings.
This principle also applies to other security permissions on other objects within Windows Server 2003. For example, if you set security rights on folders on a shared drive, you use these same principles when inheriting rights to subfolders.
These principles about the operation of security in Windows Server 2003 are crucial for your success. You must understand how inheriting works and how child objects react if they are or are not inheriting rights.
Exploring Inheriting Permissions
We setup a new Organizational Unit, Miami. Under this OU, we setup this structure:
All of the OUs created are inheriting their permissions from their parent object. For example, the Laptops OU inherits from the Computers OU which inherits from the Miami OU. If we make a change to the Computers OU, Laptops and Desktops will inherit those changes.
Changing Security on an OU
- Open Active Directory Users and Computes.
- Click the View menu and select Advanced Features (if it is not already selected).
- Right-click on the OU you want to manage. In our example, we are going to change the Computers OU’s security. Choose Properties.
- Click on the Security tab.
- The security rights for this OU are listed. Click Advanced.
- Uncheck the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these entries explicitly defined here.
- You have several options presented to you. You can Copy the current security settings, you can Remove the current settings and start with a clean slate, or you can simply Cancel the request. If you are simply adding or changing a single group or two in the security, it makes sense to Copy – you have a template to start with. If you are making a big change, removing the current settings may be easier. In our example, we are going to Copy the current security permissions.
- Click OK.
- Click Yes to the popup message.
- The security settings remained as we copied versus removing them entirely.
- Remove several of the groups listed from having security rights – for example, Account Operators or Authenticated Users.
- Click Add to add groups or users.
- As an example, we added the IT group to have Full Control over the OU.
- Click OK.