Access Denied--Controlling Read and Write Access to AD Objects

Get answers to your security-related Win2K questions

[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!]

I plan to use Active Directory (AD) to publish employee information. However, I'm concerned about the default permissions to AD objects that AD grants to the Authenticated Users group. Members of Authenticated Users have read access to Public Information, General Information, Personal Information, Web Information, and permissions. To which fields does each information type grant access?

When you plan to implement AD, you must plan which user object properties you'll use and who will have read access to them. Many user object properties have privacy or security implications. To look at the permissions for an AD object such as a user account, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, find the user listed, open the user's Properties dialog box, select the Security tab, then click Advanced. If you don't see the Security tab, close the Properties dialog box, select Advanced Features from the snap-in's View menu, then reopen the user's Properties dialog box.

On the Permissions tab in the Access Control Settings dialog box, which Figure 1 shows, select the permission entry that grants Authenticated Users members read access to public information. In AD, you control access through object-level and property-level permissions. Object-level permissions pertain to actions performed on the object itself (e.g., deletion) rather than on one of the object's properties.

Through Properties permissions, you can control read and write access to an AD object's individual properties. On the Properties tab that Figure 2 shows, you'll notice read and write options for All Properties (i.e., Read All Properties, Write All Properties) and for a list of nine property sets that includes Phone and Mail Options, General Information, Group Membership, Personal Information, Public Information, Remote Access, Account Restrictions, Logon Information, and Web Information (the last four sets aren't visible in Figure 2).

Following these sets are read and write options for many individual properties such as last name and department. Because each user object has hundreds of properties, you would find it difficult to control access property by property. Evidently, Microsoft tried to group related properties together, such as Personal Information and Public Information, to let you control access to them at one time. Table 1, page 6, shows the properties that comprise each set (which I discovered through a process of elimination).

To determine the properties, I removed the typical permissions from Bob's user account and granted myself read access to one property set at a time, each time noting which properties of Bob's user object I could view. Win2K apparently doesn't use three of the property sets. I thought that the Remote Access property set would control the properties on the Dial In tab, but in my experiments, granting read access to this set had no effect on which properties I could read. I experienced the same results with Group Membership and Phone and Mail Options. In short, I haven't yet discovered the purpose of these property sets.