Using delegation of control

As an alternative to using the built-in groups, you can granularly delegate permissions per OU.

There are a couple of recommended practices to keep you and your colleagues from insanity:

  • Build a delegation of control model and/or authorization matrix before performing delegation of control. This way, delegation settings can be continually documented, agreed upon, and transferred to other admins without adding unnecessary complexity.
  • Always use groups when delegating permissions, not individual user or computer accounts. This way, giving permissions is a matter of (temporarily) adding a user account to a group, instead of going through the Delegation of Control Wizard each time. It also makes auditing that much easier.
  • Try to avoid deny permissions to avoid complexity. Deny permissions take precedence over allowed and/or granted permissions.
  • Use a hacker mindset. Always test the delegation settings for any unwanted effects.
  • Use delegation of control of groups in combination with NTDS Quotas to prevent group administrators from creating over 1,000 groups, adding members to these groups, and performing a denial of service attack, because user accounts can't be used to sign in when they have over 1,023 group memberships.
本周热推:
Extending Symfony2 Web Application FrameworkBurp Suite EssentialsRESTful Java Web Services SecurityGetting Started with FortiGateDisaster Recovery Using VMware vSphere Replication and vCenter Site Recovery Manager
上一章目录下一章