tag:blogger.com,1999:blog-17536772348125549592024-03-12T23:30:35.154-07:00Syndicated IT Content - UKThis blog covers syndicated UK IT contentRyanhttp://www.blogger.com/profile/17047394349216117963noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-1753677234812554959.post-49090950524624791222010-06-19T16:57:00.001-07:002010-06-19T16:57:24.204-07:00What is delegation of administration in Active Directory?<div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt">An IT infrastructure is typically comprised of many IT assets such as user accounts, computers, files and databases, applications and services all of which need to be administered. In such IT infrastructures, it is not possible for a handful of administrators to adequately administer all aspects of the IT infrastructure.</SPAN></P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN> </P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt">Thus, in most IT infrastructures, administrative responsibilities for managing the various IT assets that together comprise the IT infrastructure are distributed (or delegated) amongst an adequate and typically greater number of less-privileged administrators, who are then responsible for managing smaller specific portions of the IT infrastructure.</SPAN></P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt"><o:p></o:p></SPAN> </P> <P><B style="mso-bidi-font-weight: normal"><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt"><A href="http://www.activedirsec.com/delegate.html">Delegation of administration</A></SPAN></B><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt"> is the act of distributing and <B style="mso-bidi-font-weight: normal">delegating an administrative task</B> for various aspects of IT management amongst an adequate number of administrators.</SPAN></P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt"><o:p></o:p></SPAN> </P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt">The act of delegating administration involves granting one or more users or Active Directory security groups the necessary <B style="mso-bidi-font-weight: normal"><A href="http://www.activedirsec.com/security_permissions.html">Active Directory security permissions</A></B> as appropriate so as to able to allow the delegated administrator to carry out these tasks.</SPAN></P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt">In the interest of security, after delegating an administrative task, IT personnel should always also <A href="http://www.activedirsec.com/verify.html">v<B style="mso-bidi-font-weight: normal">erify delegation in Active Directory</B></A>, so as to be sure that the task was delegated accurately. </SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">The process of verifying a delegation in Active Directory is rather complicated but with the right <B style="mso-bidi-font-weight: normal"><A href="http://www.paramountdefenses.com/goldfinger.html">Active Directory Reporting Tool</A></B>, IT personnel can accomplish this task efficiently and reliably.</SPAN></P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"></SPAN> </P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Done right, Active Directory's powerful <B>administrative delegation</B> capabilities let organizations securely, efficiently and cost-effectively delegate administrative authority for identity and access management in their IT infrastructures thereby reducing cost and enhancing security.</SPAN></SPAN></P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"></SPAN></SPAN> </P> <P><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="FONT-FAMILY: Arial; COLOR: #555555; FONT-SIZE: 10pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Source - <A href="http://www.activedirsec.com/index.html">Active Directory Security Technical Reference</A></SPAN></SPAN></P></DIV></div><br> Ryanhttp://www.blogger.com/profile/17047394349216117963noreply@blogger.com0tag:blogger.com,1999:blog-1753677234812554959.post-44233674335875350552010-06-14T20:38:00.001-07:002010-06-14T20:38:48.855-07:00A Guide to the Active Directory Security Model<div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV> <P align=justify>Active Directory's security model secures and protects every object stored in Active Directory, including domain user accounts and domain computer accounts, domain security groups and group policies. The <A href="http://www.activedirsec.com/">Active Directory Security</A> model allows administrators to specify who has what access to which object to a high degree of control. It also allows administrators to specify access for an entire group of users so as to simply security management.</P> <P align=justify> </P> <P align=justify>The following is an overview of how <B><A href="http://www.activedirsec.com/security_model.html">Active Directory's security model</A></B> protects stored content –</P> <OL> <LI> <P align=justify>Each object is protected by a component known as a <A href="http://www.activedirsec.com/security_descriptors.html"><FONT color=#800080>Security Descriptor</FONT></A></P> <LI> <P align=justify>Each security descriptor contains amongs other compronents, an Access Control List (ACL)</P> <LI> <P align=justify>Each ACL contains one or more Access Control Entries (ACEs)</P> <LI> <P align=justify>Each ACE allows or denies specific <A href="http://www.activedirsec.com/security_permissions.html"><FONT color=#800080>security permissions</FONT></A> to some security principal</P> <LI> <P align=justify><A href="http://www.activedirsec.com/security_groups.html"><FONT color=#800080>Security groups</FONT></A> can be specified and be part of security groups</P> <LI> <P align=justify>ACEs can be explicit or inherited; explicit ACEs override inherited ACEs</P> <LI> <P align=justify>Access is specified in the form of low–level technical permissions</P> <LI> <P align=justify>These low-level permissions can be standard permissions, or special permissions such as <A href="http://www.activedirsec.com/extended_rights.html"><FONT color=#800080>extended rights</FONT></A> or <A href="http://www.activedirsec.com/validated_writes.html"><FONT color=#800080>validated writes</FONT></A></P> <LI> <P align=justify>Active Directory's current <A href="http://www.activedirsec.com/visibility_modes.html"><FONT color=#800080>object visibility mode</FONT></A> impacts list access requests</P> <LI> <P align=justify>The access check takes into account the object's ACL and the user's token and determines resultant access for user on the object</P></LI></OL> <P align=justify>In this manner, Active Directory's security model secures and protects Active Directory content. </P></DIV></div><br> Ryanhttp://www.blogger.com/profile/17047394349216117963noreply@blogger.com0tag:blogger.com,1999:blog-1753677234812554959.post-65269035229808804022010-05-28T10:50:00.001-07:002010-05-28T10:50:59.921-07:00How to generate security audit reports in Active Directory?<div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV>Microsoft's Active Directory technology is the foundation of identity and access management in Microsoft Windows Server based IT infrastructures as it stores and protects all vital components of security including user accounts, security groups, group policies and even computer accounts. </DIV> <DIV> </DIV> <DIV>It thus plays a vital role in security and compliance auditing and thus organizations often have a need to generate and know <A href="http://activedir-reporting.blogspot.com/">how to generate security audit reports in Active Directory</A>. These reports often form an integral component of an organization's overall security audit and regulatory compliance reporting apparatus. These reports often cover user account management, security group management, and even delegated administrative access management.</DIV> <DIV> </DIV> <DIV>IT administrative personnel are often tasked with generating such reports and with the right Active Directory reporting tools, they can often generate these reports quickly, reliably and in a form that is required by IT managers and IT auditors. IT admins can also write <A href="http://ad-powershell-blog.blogspot.com/">PowerShell scripts for Active Directory</A> or LDAP scripts to generate these reports but most often, writing such scripts can be time-consuming and error-prone and thus many IT admins often choose to use a 3rd party reporting solution to fulfill such needs.</DIV> <DIV> </DIV> <DIV> <DIV>On a related subejct, IT administrators also need to know <A href="http://activedir-auditandreporting.blogspot.com/"><FONT color=#800080>how to audit and report security in Active Directory</FONT></A>, and to do so, they often either rely on using custom inbuilt scripts or using 3rd party automated management tools as Microsoft unfortunately does not seem to provide appropriate tools to do so. Fortunately, there are some very helpful and useful 3rd party Active Directory reporting tools available that can assist IT admins in making this job easy and efficient for them to carry out.</DIV> <DIV> </DIV></DIV></div><br> Ryanhttp://www.blogger.com/profile/17047394349216117963noreply@blogger.com0