Jak cię złapią, to znaczy, że oszukiwałeś. Jak nie, to znaczy, że posłużyłeś się odpowiednią taktyką.
The most effective use of shortcut trusts is between two domain trees in a forest. For instance, in the domain trust example, a shortcut trust could be established between the two domains, payroll.acctg.yourcompany.com and sales.mycompany.com.
Shortcut trusts are one of the two types of explicit domain trees that can be established in Windows 2000; the other is the external trust used to establish a trust relationship with domains that are not part of the forest. The external trust is one-way and nontransitive, as in NT 4.0 domain models. However, as with NT, two one-way trusts can be established if a two-way relationship is desired. Tip: Windows 2000 explicit trusts are created using the Active Directory Domains and Trusts administrative tool. Delegation of Administration One of Active Directory’s strongest points, and one of its most attractive to administrators in a large, complex enterprise network, is the ability it confers on you to delegate administrative authority all the way down to the lowest levels of the organization by creating an OU tree, in which organizational units can be nested inside one another and administrative responsibility for any part of the OU subtree can be assigned to specific groups or users, without giving them administrative control over any other part of the domain. This was not possible in NT networks, where administrative authority was assigned only on a domainwide basis. You will still have an Administrator account and a Domain Administrators group with administrative authority over the entire domain, but you can reserve these accounts for occasional use by a limited number of highly trusted administrators. Tip: Because logging on routinely with an Administrator account can pose a security risk, even trusted administrative personnel should normally use a nonadministrative account for daily business. Windows 2000 provides the secondary logon service, which allows you to use the run as command to run programs that require administrative privileges while you are logged on a nonadministrative account. The delegation of administration responsibilities can be defined in three ways: • Permissions can be delegated to change properties on a particular container. • Permissions can be delegated to create and delete child objects of a specific type beneath an OU. • Permissions can be delegated to update specific properties on child objects of a specific type beneath an OU. You can delegate administrative control to any level of a domain tree by creating organizational units within the domain and delegating administrative control for specific organizational units to particular users or groups. This lets you define the most appropriate administrative scope for a particular person, whether that includes an entire domain, all the organizational units within a domain, or just a single organizational unit. Microsoft has made it easy for you to use this newfound power to delegate by providing a Delegation of Control Wizard that walks you through the steps (see Figure 4.12). http://corpitk.earthweb.com/reference/pro/1928994024/ch04/04-04.html (2 of 3) [8/3/2000 6:52:40 AM] Configuring Windows 2000 Server Security:Secure Networking Using Windows 2000 Distributed Security Services To access the wizard, open Active Directory Users and Computers, double-click the domain node in the console tree, right-click the folder for which you want to delegate administrative authority, and select Delegate control. This will start the wizard. Figure 4.12 Assign administrative authority with the Delegation of Control Wizard. After you have chosen the users or groups to whom you wish to delegate authority, you will be able to choose exactly the administrative tasks you wish to delegate to them (see Figure 4.13). Figure 4.13 Select specific administrative tasks to be delegated. This gives you a great deal of flexibility and control over the delegation process. You can even create a customized task to delegate. You will be shown a summary of your actions and informed of the successful completion of the wizard (see Figure 4.14). Figure 4.14 Finish the Delegation of Control process. You should carefully review the summary to make certain you have assigned control over the objects and tasks to which you intended to delegate authority. Then click Finish, and the process is complete. Previous Table of Contents Next Products | Contact Us | About Us | Privacy | Ad Info | Home Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights
|
Wątki
|