Access Control is a general term describing how administrators can secure access to objects in Active Directory. The term access control is also used for both the Windows Server and Windows XP platforms to describe how files and folders can be secured using the NTFS file system, as well as how access to shared folders, printers, and other network resources can be controlled.
How It Works
Access control can be applied to any object in Active Directory, but it is applied most often to a group or a container. Access control to directory objects is implemented primarily by assigning permissions and rights.
Permissions are assigned to an object to determine who can access that object and at what level. Permissions can be set by an administrator or by the owner of the object. The kind of permission that can be applied depends on the type of object being considered. Some of the objects to which permissions can be applied include:
- NTFS file system objects such as files, folders, and volumes
- Local system objects such as processes and programs
- Local or Active Directory objects such as user, group, or printer objects
The issue of inheritance is related to permissions. When permissions are assigned to a folder on an NTFS volume, they are also inherited by default by all existing child folders and files within the folder, and by any new child folders or files created later. Similarly, when permissions are assigned to a container in Active Directory, they are also inherited by default by all existing child objects within the container and by any new child objects created later.
Rights are assigned to user or group accounts to provide them with authorization to perform a specific system task, such as backing up a volume, shutting down the system, or logging on to the console interactively. Rights are most often assigned to groups rather than individual users to simplify administration. Rights can be specified at either the local or domain level.
Another aspect of access control is the issue of ownership. When a user creates an object in Active Directory or a file on an NTFS volume, he or she becomes the owner of that object or file. The owner has the right to set and modify the permissions of the object. Every object in Active Directory and every file or folder on an NTFS volume has an owner.
One additional aspect of access control is the issue of auditing. Files and folders on an NTFS volume can be audited to keep track of failures or successes in accessing them. This can be important in detecting security breaches in your network.
When assigning permissions to objects in Active Directory, you can assign them either to the object itself (and therefore to all its attributes) or to specific attributes of the object. For example, you could allow all users to have read access to the Phone Number attribute of users in Active Directory, while granting the clerical group read/write access to that attribute so that they can modify users’ phone numbers if necessary.