When a group is created in Active Directory, there are two decisions that need to be made. One decision concerns the scope of the group, which includes domain local, global, and universal. The other decision involves the group type: either security or distribution.

There are four scopes to choose from when creating a group in Active Directory. Each scope serves a unique purpose, so it is important to understand the distinctions between them. The group scopes available are

Formatting Windows servers and workstations with the NTFS (New Technology File System) has been an industry standard for years. NTFS provides advanced features that are not found in any version of file allocation table (FAT). For example, NTFS guarantees volume consistency by using standard transaction logging and recovery techniques. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. NTFS also provides advanced features, such as file and folder encryption, disk quotas, and compression.

Most importantly, Active Directory and file and folder permissions rely on NTFS. There really is no centralized management of user rights and permissions without NTFS.

NTFS is used in Windows Server 2003 for file-level security in the operating system. Each file and folder on an NTFS formatted drive is marked by an Access Control Entry (ACE) that limits who can and cannot access the object. NTFS permissions control read, write, and several other types of access.

NTFS has been revised in Windows Server 2003 to secure, by default, critical operating system files and directories to disallow their unauthorized use. Additionally, Windows Server 2003 does not by default grant full control to the Everyone group when creating file shares.

Changing permissions on files or folders is a simple process. Remember when changing permissions to take into account that permissions on subdirectories are inherited from their parent directories. For example, to add a group to the Access Control List (ACL) of a particular folder, perform the following steps:

As file resources are added to the enterprise, managing permissions can become an increasing chore. The administrator’s job in securing data while providing appropriate access is simplified greatly if you adhere to the following:

With Windows Server 2003, you have the capability to create, view, and manage permissions on any shared resource. A shared resource includes files, folders, printers, or any server resource made available, or published, to users.

Active Directory Shared Folders give you a tool for viewing a list of users connected over the network to a server share and the capability to disconnect one or all of them. Shared folders also give you the capability to see what shared files are opened by remote users and close one or all of the files.

To publish an Active Directory shared folder, follow these steps:

Before there were NTFS permission settings, permissions were set at the share level. Although you still have the capability to set permission at the share level, it is preferable to use NTFS-level security. Setting NTFS permissions is the best practice because it inherently secures subdirectories. Share-level security does not protect subdirectories easily.

There are some special points to consider when setting up permissions on files, folders, resources, or shares. The concept of enabling a permission is fairly self explanatory. For example, if the Read permission is Allowed for a user or group on a particular file or folder, that user or group will be able to read the contents of the file or folder. If inheritance is set, that read permission will flow down the directory structure from where it was assigned.

The Deny permission is often a trickier concept to comprehend. As a result, access problems can be caused inadvertently by the misuse or misunderstanding of how this permission setting works.

When permissions are set on a parent container, for example a parent level folder in a shared folder tree, groups or users are granted a certain level of permissions. By doing this, the Access Control Entry (ACE) for that folder restricts access to those individuals defined as members of the groups listed in the ACE. The restriction implicitly denies access to users not defined in the ACE. In this scenario, there is no need for an explicit Deny permission setting.

Deny settings are only used to override an allowed permission that is already set. This situation might occur when allowed permissions are inherited from a parent folder setting. Even this situation might not require explicitly making a Deny setting, as you can break the chain of inheritance and start a new ACE on the subfolder in question by replacing the inherited settings that exclude the group or user you want to exclude.

Deny permission settings on parent level folders can also be overridden in this fashion. Inherited Deny permissions do not prevent access to a subfolder if that subfolder has an explicit Allow permission entry.

In addition to granting users permission to resources, Windows Server 2003 introduces the concept of user rights or privileges. Privileges are similar to permissions in that they involve controlling access. Where permissions involve access to objects such as files, folders, and printers, privileges grant access to operating system functionality.

The exact list of available rights that you can configure depends on the operating system to which a user will be assigned rights. Some common examples of controllable privileges in Windows Server 2003 and Windows XP are the capability to back up files and directories, log on through Terminal Services, and create a pagefile.

For a complete list of configurable user rights or privileges, open the local policy editor for the operating system on which you want to grant or restrict access. You can also view user rights and privileges through the Group Policy Editor.

Granting user rights is a fairly straightforward process. You have to choose whether rights will be granted at the workstation level via the Local Policy Editor, or at the domain level via the Group Policy Editor. Assigning rights locally will only affect users of that particular workstation. Assigning rights using a domain Group Policy will affect all users or computers in the particular Active Directory container to which the group policy object is linked. Using the Group Policy Editor will be covered in the following section, “Using Group Policy to Administer Rights and Permissions.”

To assign a particular privilege, for example to grant the ability to load device drivers to the Power Users group on a local workstation, perform the following steps:

Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the capability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right—in this case, the right to perform a backup—takes precedence over all file and directory permissions.

Previous sections demonstrated using the Local Policy Editor to manage user rights and privileges; you can assign these same user rights and privileges through the Group Policy Editor. The benefit of using group policies to assign user rights is that a larger scope of users or computers can be managed from a single configuration.

Assigning user rights with the Group Policy Editor is nearly identical to assigning rights with the Local Policy Editor. The exception is the process by which Group Policy Objects (GPOs) are linked to Active Directory container objects.

When you edit the local policy on a workstation or server to assign a particular user privilege, for example to grant the capability to perform backups and restores on a computer, then after the local policy is edited, the configuration is complete. When you make the same configuration at the domain level by creating or modifying a GPO, to enable the configuration, the administrator must also link that GPO to an Active Directory container, for example a particular Organizational Unit (OU). After the GPO is linked to an OU, the policy will apply to all computers contained in that OU. The process of linking a GPO to an AD container can be done in different ways. One way is to modify the properties of the target OU, and create or edit the GPO from that context.

To demonstrate this process in detail, the following example details the steps necessary to grant the capability to back up and restore files on all computers contained in the Sales OU to users contained in the local Power Users group of those computers.

Assigning user rights through group policies has the added security benefit of preventing changes to the configured settings at the local level. When there are conflicting settings between the local policy and a linked group policy, the group policy settings will override the local settings. Additionally, the local policy cannot be modified, even by a local administrator, if a group policy is in force.

Managing permissions for files and folders through group policies is similar to the process of editing the Access Control Entries (ACEs) on NTFS file folders and shares. Again, group policies can be used to enforce domain or OU-level security standards across a larger scope of computers. In the case of files and folders, you have the capability to replace the local ACEs on computers contained within the scope of the targeted AD container with ACE settings made in a GPO.

In addition to enforcing a security standard on common folder permissions across a broad target of computers, GPO permission settings can also be used to solve access problems that were not evident when initial permission settings were deployed locally.

For example, the default local permissions set on the folder, C:Program Files, limits users to read and execute permissions on this folder and its subfolders in a standard Windows XP workstation. If at a later time a new application is installed on several workstations that create subfolders to which users will need the write permission for proper execution, there will be an access problem that could potentially span hundreds of workstations. The process of changing the local ACE of each workstation would be extremely tedious and time consuming. On the other hand, you can change the ACE through a group policy and fix the problem with just a few keystrokes.

The following example modifies permissions on a particular subfolder, C:Program FilesHRApp, for all user workstations in the Human Resources OU:

In addition to being able to modify file and folder permissions, you have the capability to modify security settings in the Registry using group policies.

As is the case with file permissions, the functional application of setting Registry permissions with group policies are twofold: you can establish security standards across a greater scope of user permissions on workstations or servers; and you can apply fixes to computers already deployed to a vast population of users.

Just as some software requires file permission modifications to run correctly, it is not uncommon to find similar requirements for specific Registry keys. Such requirements, though, might not show up when initial testing and configuration of the software is performed. If an application is deployed to several hundred workstations only to find that a particular functionality does not work with the standard user Registry permissions, it is possible to fix the problem by targeting the workstations with a GPO that addresses the particular Registry security setting.

For example, a company might discover after deploying 400 new workstations that standard users cannot change their default JPEG viewer from Internet Explorer to Photo Editor in Windows XP (or vice versa). The workstations will require modified permissions to the following Registry key: HKLMSOFTWAREMicrosoftShared ToolsGraphic Filters. To modify these permissions through group policy, perform the following steps:

Because the most efficient way to manage access control to resources is by leveraging groups of various types, it is important to provide a means to manage group memberships across a wide scope of computer objects. To this end, group policies can be defined that limit or set the membership of groups across computer objects contained in the targeted AD container.

For example, you might want to limit the membership of the local Power Users group to the Engineering global group for computers contained in the Engineering OU of the domain. By enforcing such a policy, the local Power Users group cannot be modified at the local level to include any other members besides the Engineering global group.

To establish this restriction, perform the following steps:

Local profiles exist on a particular workstation or server’s hard disk. A single user could have several local profiles, each with different configuration settings, on various machines to which the user has logged in. Local profiles are managed individually at the workstation or server on which they exist.

Roaming profiles, on the other hand, are stored on a server file share. These profiles are downloaded from the server to the local workstation or server when the user logs into the domain. When the user logs off, the profile is then pushed back up to the server.

Roaming user profiles have the advantage of providing a standard set of profile settings to users regardless of the machine at which she logs into. The disadvantage is that the time it takes to log on or log off will depend on the size of the roaming user profile in use. A best practice for implementing roaming user profiles is to also implement folder redirection. Folder redirection is detailed in Chapter 6 in the section “Increasing Fault Tolerance with Intellimirror.”

Each Windows 2000, Windows XP, and Windows Server 2003 system includes Default and All Users Profiles. These profiles are helpful in setting up a user experience that will affect any user that logs into the system.

The All Users profile folder contains settings that will apply to all users logging into that system. You can use this folder to add desktop shortcuts or start menu items to the users’ specific desktop settings in their local or roaming profile settings. The All Users profile are machine specific and will not modify a user’s local or roaming profile settings.

The Default User profile is used whenever a user logs into a system for the first time. To manage how local profiles are configured on a system, configure the default user profile. You can configure the default user profile by configuring a local user profile, and then copying that configured profile to the default profile folder.

To create a default profile, follow these steps:

A mandatory profile is the same as a roaming profile except that changes made to the profile settings are not saved to the server upon logoff. These profiles are commonly used in classrooms or publicly shared workstations to strictly manage the profile settings. To change a profile to a mandatory profile, configure the profile to the preferred specification, and then log off the account. Next, with an Administrator account, locate the profile folder and rename the corresponding Ntuser.dat file to Ntuser.man.

Temporary profiles occur when the server authenticating the login for a user with a roaming profile cannot locate the profile folder on the server. When this happens, the machine attempts to load a cached copy of the user’s profile from the local machine. If the user has never logged into the system before and no cached copy of the profile can be located, a temporary profile is created using the Default profile on the system. This temporary profile will become the user’s roaming user profile when the user logs off and the profile is copied up to the server.

Highly managed users might be defined as users who have a very limited set of applications they must run on their workstation to perform their job function. These users typically have a lower level of computer skills than engineers and developers. As such, it is a best practice to limit these users so that it is difficult, if not impossible, for them to make configuration changes to the system that will cause it to work less efficiently or not at all. At the same time, you must be aware of any particular permissions that these users might require in order for their specific applications to run correctly in a limited environment.

Many companies have employees who either frequently travel or are located away from the typical office environment. These mobile users are unique because they usually log on to the company network through a portable computer from different locations over a slow-link dial-up modem connection. Though mobile users differ, both the slow-link connection and lack of local access should be used as the defining qualities for this type of network client.

In many companies, the administrators’ workstations have no controls in place at all. The accounts the administrators use to log on to the network give them access to control every aspect of the workstation, as well as the servers. Because these accounts have so much power over the network, it is recommended that policies be in place to protect that power.

The following list provides best practices for safeguarding the administrator account privileges: