subject: Controlling Access To Active Directory Objects [print this page] To view the special permissions for an CompTIA, complete the following steps:
1.Click Start, point to Administrative Tools, and then click Active Directory Users
And Computers. On the View menu, ensure that Advanced Features is selected.
Right-click the object for which you want to view special permissions, and then
click Properties.
2.In the Properties dialog box for the object, click the Security tab. Click Advanced.
3.In the Advanced Security Settings dialog box for the object, select the appropriate
security principal and permission in the Permission Entries list, and then click Edit.
4.In the Permission Entry dialog box for the object, select the Object tab to view
special permissions for the object assigned to the security principal. Select the
Properties tab to view special permissions for the properties assigned to the secu?
rity principal.
As introduced in Chapter 3, "Administering Active Directory," Acldiag.exe and Dsacls.exe are Windows Support Tools that you can use to view and edit Active Directory permissions. For example, if you want to see all of the IT Exams to an OU named Marketing in the contoso.com domain, you could type acldiag ou=marketing,dc=con-toso,dc=com. The resulting output would be a complete dump of the discretionary access control list (DACL) of the Marketing OU, including a list of special permissions.
Object Ownership
When an object is created, the user creating an object automatically becomes its owner. Administrators create and own most objects in Active Directory and on network servers when installing programs on the server. Users create and own data files in their home directories and some data files on network servers. The owner controls how permis?sions are set on the object and to whom permissions are granted.
Ownership can be taken by
An administrator. By default, the Administrators group is given the Take Owner?
ship Of Files Or Other Objects user right. User rights are discussed in Chapter 13,
"Administering Security with Group Policy."
Any user or group who has the Take Ownership permission on the object.
A user who has the Restore Files And Directories user right.
In Windows Server 2003, quotas can be specified in Active Directory to control the number of objects a security principal (user, group, or computer) can own in a given directory partition.free practice IT questions can help prevent the denial of service that can occur if a security principal creates objects until the affected domain controller runs
