How Inheritance Affects Access Control

By Author: fiona
Total Articles: 191
Comment this article

There are two ways of assigning permissions to an object: assigning A+ certificate permissions explicitly and assigning them indirectly through inheritance. Permissions set explicitly are defined directly on an object by the object's owner. Permissions assigned through inheritance are propagated to a child object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container by minimizing the number of times that you need to assign permissions for objects.
Off the Record The Windows Support Tools include the SDCheck utility, introduced in Chapter 3. You can use this utility to diagnose permission inheritance and permission replication issues. For example, if you run the command sdcheck serverl administrator@contoso.com, you'll receive a list of permissions assigned to the Administrator account of the con-toso.com domain according to Serverl. If you run the command sdcheck server2 admin-istrator@contoso.com, you'll see the same output according to Server2. You can compare the ...
... two results in an attempt to locate a discrepancy. In order to make the com-parison more easily, you can use a file comparison utility, such as Windiff.exe, which is also part of the Windows Support Tools. In that case, you'd ensure the output of the SDCheck commands went to a file by adding filename.txt to the end of the command. If you find a discrepancy, this may be an indication that there is something wrong with the replication process. For additional examples of how to use plus benefits SDCheck, perform a Web search on "SDCheck examples."
For example, as shown in Figure 9-8, if you assign Full Control permission to the Sales group for the East OU, the permission can be propagated to the child objects of the Fast OU, the Chicago and Columbus OUs, and their respective child objects, a shared folder named Account Information, and two users. Therefore, permissions for the Sales group in the Fast OU are explicit permissions, while the permissions for the Sales group in the OUs, shared folder, and users are inherited permissions.
To control access to Active Directory objects, you grant or deny permissions to security principals. You set permissions to either Allow or Deny. Deny permissions take precedence over all other permissions.
When an object is created, the user creating it automatically becomes its owner.The owner controls how permissions are set on the object and to whom permissions are granted.
You can set selective authentication differently for outgoing and incoming external and forest trusts. These selective trusts allow you to make flexible access control ccna exam fees decisions between external domains and forest-wide.