FINAL WORD
USER RIGHTS CONTROL
GLOBAL ACCESS
OVER DIFFERENT
ASPECTS OF A DOMAIN
CONTROLLER, SERVER,
OR WORKSTATION.
USER RIGHTS ARE
CONFIGURED USING
GROUP POLICY, GIVING
GRANULAR CONTROL
OF EACH COMPUTER
INDIVIDUALLY
can always use the built-in “xcacls.exe”
tool, which comes with all Windows
computers.
Delegation
The concept of delegation falls
under the category of access control
lists, but it is a specific term used for
Active Directory and Group Policy
management. Due to the complexity
of Active Directory delegation, the
configuration of the delegation is
typically done through the Delegate
92
INTELLIGENTCIO
Control Wizard. This wizard is located
on the drop down menu for the
domain node for each Organisational
Unit in the Active Directory Users and
Computers tool. The wizard defines
which account (user or group) is
granted a specific task. The most
common tasks are resetting passwords
for users and modifying group
membership, both of which have a
potential impressive security impact
if the wrong account is granted the
delegation.
The Delegate Control Wizard can
only configure the delegations—it
can’t report or remove delegations.
Therefore, a different tool must
be used for each task. The builtin “dsacls.exe” tool is ideal for
reporting on delegations for
each Active Directory node. As
for modifications to existing
delegations, that is typically left up
to manual efforts performed on the
Security tab located on the object’s
Property page.
www.intelligentcio.com