Wednesday, January 20, 2010

So you want to assign DEFAULT permissions to active directory objects…

Maybe you want your delegated admin or help desk team to have the ability to manage user account objects throughout active directory, but you don’t want to make them members of the domain admins group. You could delegate authority to this group at a domain or ou level. Likewise you may want certain groups to be able to manage all group policies without having to give them special permissions, or, again, without making them domain administrators. Again, you could use the delegation of control wizard or security tab to set permissions that will be inherited by all objects of this type at the domain or OU level. Or…

You could do what Microsoft has already done, and assign default permissions to objects based upon their schema class type. These default permissions can be easily removed without breaking inheritance, which can be a better model for some administrators. One word of warning: these changes are made forest-wide – so all the domains will be creating objects with these permissions in place. In a multi-domain environment this could be just what you wanted (central management) or absolutely the wrong thing (cross-domain security breach). If it’s just too widespread, you’ll need to use active directory delegation tools instead of default permissions.

Active Directory Cookbook, 2nd EditionTo do this, you will need to be logged in as a member of the schema administrators group, which by default is only the default administrator account. Note that being a member of the Enterprise administrators group is not the same thing. That group has permissions over the configuration and domain directory partitions, but not the schema partition of active directory that determines what objects you can build, what attributes those objects will have, and of course, what default permissions the will begin with.

You will also need to install the administrative tools on your machine (adminpak.msi from the server’s c:\windows\system32 directory or download from Microsoft here:

After installing the administrative tools, you will have all the default active directory tools on your desktop, but no tool for schema. You will need to create a new MMC console (go to the run line, type mmc, and press enter) and then add the Schema snap-in (file to add/remove snap-in, click add, choose Active Directory Schema).

Then you will need to open the classes object and find the object class you are looking for. Users are easy (it’s called users) and Group Policy Objects are too (They are called groupPolicyContainers). In the properties for the object, there is a default security tab which you can use to set the default permissions for new objects based upon this schema class. However, you won’t see the change until (a) you restart the Netlogon service and (b) this has replicated to all the domain controllers in your forest. You can make these permissions apply to existing objects by going to the security tab of an AD object, going to advanced, and clicking default, which will set the local permissions to the schema default values. Good Luck!!!

No comments:

Post a Comment

Thank you for providing comments. Please... no advertising your amazing products on my blog. Thank You.