Lecture 8:Permissions and ResourcesNetwork Design & Administration

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Group Types• When defining a group, need to consider its type.• This will dictate what it can and cannot do (i.e. security and

permissions of group).• Four basic types of groups:• Distribution groups• Security groups• Application basic groups• LDAP query groups

• Administrators mostly use security groups to specify what permissions the group has when interacting with a resource.

• Distribution groups are used when limited access to a resource is required (e.g. used extensively in MS Exchange Server for sending emails to groups)

2

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Groups Scope• Groups have a Scope.• Depending on its scope, a group can be assigned permissions

to different extents in the domain structure.• There are three types of scope:• Domain Local• Global• Universal

• Group scope is affected by the Functional Level of the domain in which it exists.

• The functional level of a domain is dictated by the lowest version of windows server running as a domain controller within the domain.

• This can also dictate the functional level of a forest.3

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Domain Functional Levels[1]

• Limits what functionality domain controllers offer within the domain.• All functional levels provide the default Active Directory Domain Services

feature set plus additional features depending on the operating system.

4

Functional Level Features[1]

Windows 2000 Native Universal groups enabled for distribution and security groups; group nesting; group conversion; SID history.

Windows Server 2003 Domain rename; last logon timestamp; password setting on inetOrgPerson / User objects; redirect users/computers containers; authorisation manager policies; constrained delegation; selective authorisation.

Windows Server 2008 Distributed File System replication of SYSVOL; Advanced Encryption Services for Kerberos; interactive logon info; fine-grained password policies

Windows Server 2008 R2 Active Directory domain recycle bin.

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Forest Functional Levels[1]

• Functional levels impact the forest functional level.• Each Server version adds more features to basic forest

functionality.

5

Forest Functional Level Features[1]

Windows 2000 Default AD feature set

Windows Server 2003 Forest trust; domain rename; linked value replication; Read-only domain controllers (RODC); improved knowledge consistency checker; dynamic objects; deactivation/redefinition of attributes and classes in schema.

Windows Server 2008 No additional forest level features; will default to a Server 2008 FL instead of a 2003 FL.

Windows Server 2008 R2

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Group Scope Revisited![2]

• Scope can be domain local, global, or universal.

6

Group Scope Group Membership Can Include[2] Can be used to [2]

Domain Local User accounts from any domain in the forest; global groups or universal groups from any domain in the forest; user accounts or global or universal groups from any domain in trusted forest; nested domain local groups from the local domain.

Assign access to resources only in the local domain; on all servers in domain running Windows Server 2000/2003/2008.

Global User accounts from the domain where the group is created; nested global groups from the local domain.

Assign access to resources in all domains in forest or between trusted forests; member servers running Windows Server.

Universal User accounts from any domain in forest; global groups from any domain in forest; nested universal groups from any domain in forest.

Assign access to resources in all domains in forest or between trusted forests; on all servers running 2000 +

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Why?

• Allows different groups different degrees of permission when included within each other.• Different sorts of objects are allowed

membership of different group types (scopes)• Remember, this applies to security groups.

Distribution groups, as mentioned previously, only relate to directory-aware applications (e.g. MS Exchange)• Since security groups can also be used as

distribution groups, often don’t bother with the latter.

7

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Domain Local Groups

• Available even in lower domain functional levels.• Typically assigned permissions to resources. (e.g. shared

folder or printer)• Then allows easier group nesting

• Can also be used to group users from the same domain needing the same permissions to access a resource in the same domain.• Can only be used to assign permissions to resources in

the domain in which they were created (the meaning of domain local!)• See table for permitted membership. 8

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Global groups

• Often used to gather users or computers together in the same domain with same role or function, or requiring similar access requirements.• Can only include members from within their own domain

(including other global groups from the same domain).• Can be granted permissions for resources in any domain

in the forest and in trusted domains in other forests.• Not replicated outside of their own domain – using them

minimises replication traffic to the global catalogue.• Use these for objects that require frequent maintenance.

(e.g. user or computer accounts) 9

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Universal groups

• Used mainly to grant access to related resources in multiple domains.• e.g. if executives need access to printers throughout the network.

• Mainly used to consolidate groups than span multiple domains – unnecessary in single-domain networks.• Best practice:• Create global group in each domain for user or computer

accounts, then universal group contains the global groups.• Avoids too much replication traffic, since universal group

membership changes infrequently.

10

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Global & Domain Local Groups - Planning1. Create domain local groups for shared resources

(e.g. A group for a set of colour printers) 2. Assign resource permissions to domain local

group (e.g. Whatever permissions needed to use printers)

3. Create Global groups for users with common roles (e.g. Accounts or Sales)

4. Add global groups into appropriate domain local groups (e.g. To give Sales access to the specialist printers) 11

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Permissions

• A privilege granted to a user, group or computer to perform a particular action or access a particular resource.• Windows Server 2008 has many different sorts of

permissions – most visible are:• File-system – access to files & folders under NTFS.• Share – access to file system and printer shares.• AD – access to Active Directory objects.• Registry – access to registry keys.

• They are all separate/different! 12

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Access Control Lists (ACL)• An Access Control List is associated to an object being accessed, not

the object accessing it.• Lists all permissions that can access that object. (e.g. users, groups,

etc.)• Also lists what operations can be done to the object.• List made out of Access Control Entries (ACE’s) (i.e. the name of the

security principle and the permissions it has been granted)• Example:

13

/home/cmp3robinj/

[ACL](cmp3robinj, read)(cmp3robinj, write)(cmp3robinj, create)(cmp3robinj, delete)(admins, read)(admins, write)

Access Control Entry

Net

wor

k D

esig

n &

Adm

inist

ratio

n

NTFS Permissions

• Mostly can use Standard permissions for NTFS files and folders:• Read, Read & Execute, Write, Modify, List Folder

Contents, Full Control• Occasionally need to set up more fine-grained, using

the 14 NTFS Special Permissions.• The Standard permissions are just a convenient

grouping into most frequently used sets.• There are slight differences when permissions are

applied to a file rather than a folder (and List Folder Contents is obviously not applicable to files!) 14

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Example Permissions

15Note: list in this case gives Users Read & Execute, List folder contents and read permissions only.

Permissions can be explicitly Allowed or Denied.

Creator Owner is a ‘Special User’. Will discuss again later.

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Access to Special Permissions

16

To make more detailed changes, need to edit an individual ACE.

Note that permissions can be inherited from higher folders (not applicable when it’s c: )

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Example Permissions Breakdown

“Read & Execute” is composed of:List Folder/Read DataRead AttributesRead Extended AttributesRead PermissionsSynchroniseTraverse Folder/Execute File

17Without this, get “Read” Standard Permissions.

Lets security principals move through inaccessible folders to reach folders / files they are allowed to access.

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Inheritance Rules for Permissions• By default, subordinate objects inherit

permissions possessed by parent.• e.g. if user is granted permission to root of

a drive, they have same permission on all files and subfolders.• Can counteract inheritance by either:• Turning off inheritance – when working with

special permissions.• Deny permissions explicitly. 18

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Precedence Rules for Permissions

• Allowed permissions are cumulative:• All of the permissions of a security principal

combine to give the Effective Permissions.• Denied permissions override Allowed

permissions:• Explicitly denying permissions overrides Allowed

from any other source.• Explicit permissions take precedence over

inherited permissions• So explicitly Allowed override inherited Denied. 19

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Permissions can get complicated!

• As a result, depending on a user’s group membership and any permissions given explicitly to that user, get combination of all of them!• Not directly shown in Properties window since it shows

separate groups etc.• e.g. User cmp3robinj is granted Allow Read & Execute

on folder ModuleSpecs. But cmp3robinj is also member of the Lecturers group, which has been granted Allow Full Control and the Everyone group, granted Allow Read.• Therefore, cmp3robinj has effective permission of

Allow Full Control on this folder.• Need to use Effective Permissions view.

20

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Effective Permissions

21

Only takes account of NTFS interactions. Does not include effects of Share Permissions or login method.

Read-only!

Checking on a single folder or file to determine a particular user’s permissions.

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Next time & References• Further different sorts of permissions – including file shares.

[1] Windows Server 2008 Active Directory Resource Kit, page 181-[2] Windows Server 2008 Active Directory Resource Kit, page 368-369

22