1
00:00:06,430 --> 00:00:14,210
You implement the Active Directory administrative delegation module by merging the O you design with

2
00:00:14,210 --> 00:00:17,020
the permissions on the O use.

3
00:00:17,020 --> 00:00:26,410
This enables delegated administrators to fulfill administrative tasks to create the administrative task

4
00:00:26,410 --> 00:00:31,560
module and design the O use structure to support it.

5
00:00:31,600 --> 00:00:37,000
You must understand how active directory administrative delegation works.

6
00:00:37,120 --> 00:00:43,180
You must also understand the options for delegating administrative control.

7
00:00:43,240 --> 00:00:49,550
So how do users get permissions When users sign into an Active Directory Domain.

8
00:00:49,630 --> 00:00:56,900
They receive a token a token is a list of the seeds of their individual account.

9
00:00:57,010 --> 00:01:06,340
Historical accounts and every group they belong to even recursively if any group was migrated from another

10
00:01:06,340 --> 00:01:14,230
domain it is likely that they also received the historical seeds of those groups in the form or domain

11
00:01:14,500 --> 00:01:16,580
and Windows operating systems.

12
00:01:16,690 --> 00:01:25,540
Many objects such as files folders the registry keys processes and Active Directory objects contain

13
00:01:25,690 --> 00:01:34,660
a security descriptor based on seed the security descriptor defines which rights are granted or denied

14
00:01:34,960 --> 00:01:35,990
to whom.

15
00:01:36,040 --> 00:01:44,730
When a user browses files and folders or register keys or navigates through the Active Directory Domain

16
00:01:44,740 --> 00:01:53,590
structure the system compares the list of seats in the token with a list of seats in the security descriptor.

17
00:01:53,590 --> 00:02:02,350
If there are any matching seats the system relegates the type of access and allows or prohibits the

18
00:02:02,350 --> 00:02:04,000
current operation.

19
00:02:04,000 --> 00:02:12,220
Now let's review Active Directory or you permissions and Active Directory object security descriptors

20
00:02:12,370 --> 00:02:19,930
first permissions in Active Directory of the permission model is more complex than in most other Windows

21
00:02:19,930 --> 00:02:27,800
operating system services security settings on the Active Directory Domain are inherited hierarchical

22
00:02:28,170 --> 00:02:31,120
in the 0 use structure the domain.

23
00:02:31,120 --> 00:02:37,930
At any point in the structure you can configure additional security settings that could be inherited

24
00:02:37,930 --> 00:02:45,430
throughout the hierarchy depending on the scope of inheritance that the security is set and defines

25
00:02:45,730 --> 00:02:50,650
and whether inheritance is blocked at a local level.

26
00:02:50,650 --> 00:02:59,200
New objects obtain default security Saturns which is a schema class defines and inherit security assets

27
00:02:59,200 --> 00:03:00,500
from their parents.

28
00:03:00,520 --> 00:03:09,490
For example in the 0 use Schema Definition account operators has full rights to create and delete objects

29
00:03:09,760 --> 00:03:17,460
for computer accounts user accounts group objects and iiNet or virus and objects.

30
00:03:17,470 --> 00:03:25,560
Therefore if you remove the default account Operators Group from the security permissions over know

31
00:03:25,570 --> 00:03:33,910
you and then create a child or you the child or you retains the explicit security settings of the account

32
00:03:33,910 --> 00:03:34,900
operators.

33
00:03:34,900 --> 00:03:41,950
Now let's talk about the Active Directory object security descriptors a security descriptor of an Active

34
00:03:41,950 --> 00:03:50,240
Directory object contains the following pirates the owner of the object the owner can reset security

35
00:03:50,240 --> 00:03:58,690
assets even when he or she accidentally configured them to have no permissions on the object and other

36
00:03:58,690 --> 00:04:00,760
part of security descriptor.

37
00:04:00,760 --> 00:04:10,050
The primary group of the owner the next part is a control field that specifies whether the discretionary

38
00:04:10,170 --> 00:04:20,050
access control list or Darko or system access control list or cycle is present or is block in inheritance.

39
00:04:20,050 --> 00:04:28,190
There are two other parts of security descriptor an optional Darko and an optional cycle.

40
00:04:28,300 --> 00:04:36,800
The first one contains permissions for granting or denying access and the second one contains the audit

41
00:04:36,810 --> 00:04:40,300
and permissions for when you have enabled.

42
00:04:40,300 --> 00:04:49,960
Success or failure audit in the dark darker land cycle are containers that contain one or more access

43
00:04:49,960 --> 00:04:54,850
control entries or a C e n ac stores.

44
00:04:54,850 --> 00:05:02,200
The following information who is allowed or denied access would permissions are granted to the security

45
00:05:02,200 --> 00:05:03,190
principle.

46
00:05:03,280 --> 00:05:10,890
Read riot create or delete on which objects or object attributes can an action be performed.

47
00:05:11,260 --> 00:05:18,640
And at what sub levels can an action be performed in the O U properties dialog box.

48
00:05:18,640 --> 00:05:27,840
You use the security tap in particular the ID when security dialog box to verify or adjust security

49
00:05:27,840 --> 00:05:28,610
systems.

50
00:05:28,690 --> 00:05:36,630
The security delegation Vizard assists with some common tasks but you cannot use it to review the security

51
00:05:36,650 --> 00:05:37,330
settings.