Win Server 2008: Owner Rights in Active Directory Domain Services

Windows Server 2008 introduces new capabilities for Active Directory Domain Services object ownership. These new capabilities do not change the default permissions that the owner of an object is granted; however, they do provide the ability to modify the permissions granted to the owner of an object. The ability to restrict the permissions for the owner on an object is a welcome security enhancement in Windows Server 2008.

Each Active Directory Services object has a security descriptor, which facilitate the ability to secure the object by using permissions. A security descriptor contains all information related to access control for a given object, including:

* The owner of the object
* The primary group of the object (rarely used)
* The discretionary access control list (DACL)
* The system access control list (SACL)
* Control information

By default, the owner of the object is given the WRITE_DAC permission and READ_CONTROL permission. These permissions provide the owner with the ability to change permissions on an object and to read the permissions assigned to an object, respectively.

Issues with Pre-Windows Server 2008 Behavior of Object Ownership

There are a number of issues with the pre-Windows Server 2008 behavior of object ownership. It is important to cover these issues to provide a better understanding of the benefits.

One of the biggest security risks with the pre-Windows Server 2008 behavior of object ownership is that it provides the ability to escalate privileges. Consider the scenario in which you've granted your help desk permission to create user accounts but not the permission to delete user accounts. When a member of the help desk subsequently creates a user account, he becomes the owner of that user account object in the directory. With the pre-Windows Server 2008 behavior of object ownership, they automatically receive the ability to change permissions on the user. If they want to delete the user object, or grant anyone the ability to do so, they can grant the ability to do by modifying the permissions on the user account object.

With the pre-Windows Server 2008 behavior of object ownership, you are limited to taking ownership of an object. As a safeguard, members of the Administrators group can always take ownership of an object, even if the current owner has denied Administrators the permissions to modify the object. However, taking ownership of an object is essentially a reactive step. The pre-Windows Server 2008 behavior of object ownership did not have any means to be proactive.

By default, Windows Server 2008 designates the creator of an object as the owner, which is the same as the pre-Windows Server 2008 behavior. Furthermore, Windows Server 2008 still grants the owner the ability to change permissions of an object and read permissions, which is also consistent with the pre-Windows Server 2008 behavior. However, Windows Server 2008 introduces a new well-known security principal called, Owner Rights, which can be used to restrict the permissions that the owner of an object is granted. In Windows Server 2008, you can add the Owner Rights well-known security principal to the Discretionary Access Control List (DALC) of an object, and control the permissions that assigned to the owner of that object. When you add the Owner Rights well-known security principal to the DALC of an object, you can specify the permissions assigned to the owners of objects. This new capability overrides the default pre-Windows Server 2008 behavior of object ownership.

Source: enterpriseitplanet.com

Train Signal Releases New Microsoft Server 2008 Active Directory Training

Train Signal Inc., a global leader in professional computer training, is excited to announce the release of their new training course, Microsoft Windows Server 2008 Active Directory. Following the launch of this course, Train Signal will be releasing additional training courses for Windows Server 2008.

The comprehensive Windows Server 2008 Active Directory training features more than 20 hours of video instruction on two DVDs. Multiple file formats, such as iPod Video, Mp3 Audio, .WMV and .AVI, are available to make the training even more convenient. And students can print out the instructor's notes to follow along more easily and enhance the learning process.
The training package also helps students prepare for the 70-640 Configuring Windows Server 2008 Active Directory exam. It covers everything they need to know to pass the exam and includes the award-winning 70-640 practice exam software from Transcender, the world's leading exam simulation provider.

"This training package is perfect for anyone who wants to gain hands-on experience on Microsoft Server Active Directory 2008 and prepare for the 70-640 MCITP exam," said Iman Jalali, Train Signal's Director of Sales and Marketing. "We are pleased to offer this extensive package of training materials to help everyone from beginners to experienced administrators enhance their skills."

Train Signal's Windows Server 2008 Active Directory training package is designed to help students develop real skills that they can apply immediately. Key topics covered in the training include:

• Creating Domain Controllers
• User Account Creation
• Group Policy
• Back Up and Restore/Disaster Recovery
• Read-Only Domain Controllers in Server Core
• Sharing Folders and Files
• Remote Software Installation through Group Policy
• MCITP: 70-640 Certification

Train Signal's Windows Server 2008 Active Directory video course is instructed by Benjamin "Coach" Culbertson, MCT, MCSA, MCDBA, CIW, A+, Net+, MOS. Culbertson has a passion for educating and motivating students. He has 10 years of training, Web, print and network consulting experience and uses a high-energy teaching style that keeps students engaged.

Source: marketwatch.com

Active Server Directory

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information which it contains. Most IT professionals call these setting or characterizations schema's.

Depending on the type of schema created for a folder, will ultimately determine how these objects are used. For instance, some objects with certain schema's can not be deleted, they can only be deactivated. Others types of schema's with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object can not be deleted.

When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains, going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data, system, etc. Within these objects are even more objects which can then be controlled and categorized.