MODULE 7: QUAN LY VIEC TRUY CẬP VÀO CÁC ĐÓI TƯỢNG TRONG ĐƠN VỊ TỎ CHỨC ORGANIZATIONAL UNIT Trước tiên tạo một global group để giao quyền kiểm soát cho các thành viên của nhóm đó c2 Act
Trang 1MODULE 7: QUAN LY VIEC TRUY CẬP VÀO CÁC ĐÓI TƯỢNG TRONG ĐƠN VỊ TỎ CHỨC (ORGANIZATIONAL UNIT)
Trước tiên tạo một global group để giao quyền kiểm soát cho các thành viên của nhóm đó
c2 Active Directory Users and Computers
< File Action lew Window — Help
© +|&@Ími šs £'Xf@[Af3I@l'0i?&v «4%
&) (QJ Saved Queries
“4 Active Directory Users and Computer | Users 36 objects
Name Y
=Ì y nuéraders.msÉt Iffooman Guests
% CC] Buftin ffiDomain Controllers
# ~] Computers :
A/SI-EpUcATIỂN.EGRfĐRATION
=} {3} Locations nie Đa '6Froxy
= (ð] Acapukco Admins
5) By Computers DL N¥eTRADERS Marketing Personnel
ZI Groups OL NWTRADERS Marketing Managers
Bor NWTRADERS Manufacturing Personnel
DL NWTRADERS Manufacturing Managers
DL NWTRADERS Legal Personnel
ffÌDL NwTR.ADERS TT Personnel
OL NWTRADERS Accounting Personnel
Cert Publishers
® Adrninistrator
® AcapukoM-Personnell
® AcapulcoM-ManagerZ
©} Acapukol-Manager!
Ế? AcapuicoH-Personnel2
? acapuicoH-Personnel1
© AcapulcoH-Manager2 Ế? AcapuicoH-tanager 1
Dung cong cu Active Directory Users and Computer dé tao group
Trang 2
a Active Directory Users and Computers
<) Ele Action Yew Window Hel
©»| ml š | xw@[Af3l2|›qif ý 4z
& Active Directory Users and Computer | Users 36 objects
#7] Saved Queries
=) Bp nutraders.msft
= Debye
> WRG EDUCA
(8) {ZB} Domain Controllers
(4) -] ForeignSecurityPrincipals
=! {B) Locations
e Acapulco
` g Computers DL NWTRADERS Marketing Personnel
# (ð] Users DL NWTRADERS Manufacturing Personnel
Delegate Control TRADERS Legal Personnel Find TRADERS IT Personnel
TOANFOS Accounting sonnel
All Tasks Contact View
New ‘Window from Here
Nhập tên cho nhóm
Createln: rwvtraders.msftjtlsers
| G NWTRADERS IT Personnel
Group name (pre-Windows 2000):
| G NWTRADERS IT Personnel
© Group scope + - Group type
© Gobal © Distribution
C Universal
Để giao quyền ở OU nào ta click phải ở OU đó, chọn Delegation Control ở menu xô ra
Trang 3
“4 Active Directory Users and Computers
@ Fle Action Yew Window Help
© » | mim| „ ®Xr#[lf9l@ @Winv 4£
<4 Active Directory Users and Computer | Groups 12 objects
(QJ Saved Queries None
a i nutraders.mstt ic Acapulco Marketing Personel
eignSec G Acapulco HR Managers
:
sẽ w ations eines fÌDL Acapuko Marketing Personnel Read
T =) {3} Acapulco or Acapulco Marketing Personnel Modify
s1 (ð] Computers 7201 Acapuico Marketing Managers Read
DL Acapulco Marketing Manager Modify
DL Acapulco Human Resources Personnel Read
or Acapulco Human Resources Personnel Modify Mow Acapulco Human Resources Managers Read
or Acapulco Human Resources Manager Modify
Click Next
Delegation of Control Wizard
Welcome to the Delegation of
Control Wizard
Thas wizesd helps you delegate control of Active Directory objects You can giark users permission to manage users
Groups, compaters, orgarvzationsl ures, and other objects
stored m Active Directory
To cortinus, click Next
ATION CORPORATION
Click vao nut Adddé chon users hay group
Trang 4
Delegation of Control Wizard i x]
Users of Groups
Select one o1 more users oF groups to whom you wark to delegate cortrol
Selected users and groups:
SIC EDUCATION CORPORATION
<Back | tien | Cance |
Chon nhom G NWTRADERS IT Personnel
Select this object ype: WSIC EDUCATION CORPORATION
|Uses, Groups, or Built-in security principals Object Types
Erom this tocation:
Common Queries |
Pescrptior: | Starts wath | |
—
[ Disabled accourtts
F \Nonespeng password
Davssmice last logan *
Search results:
*@ Everyone
@ G Acapulco HR Managers nwhade
g G Acapulco HR Personnel nvvtrade
G Sr ee en nwhrade
apPe Dwwx Members in this
bm Guest Built-in accourtt nưđiade
Click OK
Trang 5
helegation of Control Wizard i mm
Select Users, Computers, or Groups
Users, Groups, of Builtin security principals Object Types |
eVSIG-EDUCATION CORPORATION
nwtraders mesft Locations |
NWT RS 1 Check Names
Caed —|
Group đã được chọn
Delegation of Controli Wizard
Users or Groups Ấ
Select one or more users of groups to whom you want to delegate control ứ
Công tác được giao
Delegation of Control Wizard
Tasks to Delegate
‘You can select common tasks of customize your own
VSIC EDUCATION CORPORATION
L) Create, delete and manage user accourks ^
EH Reset user passwords and force password change at next logon 0) Read at "
Create, and
a oan
CD Generate Resutant Set of Policy (Planning)
(1 Generate Resutant Set of Policy (Logging) zi
© Create a custom task to delegate
<Back [ Net> | Cancel |
Trang 6
Click vao Finish dé hoan tat
Delegation of Control Wizard
You have successlully completed the Delegation of Cortrol
weard
Completing the Delegation of Control Wizard
Nou chose to delegate cortral of objects al
in the followang Active Directory fodder
ers to you
have given control are:
G NWTRADERS IT Personnel (NWTRADERS\G NW Nou chose to delegate the tollovang tasks:
a
To close this wizard, click Firesh
<Back [[ fímh |} Cancel |
Baitap 2 Ghi lai cac thuộc tính bảo mật của một đối tuong trong Active
Directory
View > Advanced dé lam hién thé Security cho cac déi tuong Active Directory
& Active Directory Users and Computers
<9 Ble _Betion (“view”) Window Help
[= Active Director Large Icons
& Gy Sav Icons
=P nwtraders
+ mì p Security Group
+, : rsonnel Read Security Group
3 Locatic
s (Ð] CEO, Inagers Read Security Group {2 Groups Đo Acapulco Marketing Manager Modify Security Group
# (By Users or Acapulco Human Resources Personnel Read Security Group
@ 3) LestAndFound Mor Acapulco Human Resources Personnel Modify Security Group } (J NTDS Quotas @ OL Acapulco Hurnan Resources Managers Read Security Group
Ji & Program Data Mo Acapulco Human Resources Manager Modify Security Group
4) (2) System
(3 Users
Vao Properties cua OU Groups
Trang 7
“4 Active Directory Users and Computers
CỔ Bie tưen ow Window Hep —
&B Active Directory Users and Computer | Groups 12 objects
Đưa nhóm G NWTRADERS IT Personnel vao ACL
Groups Properties 3 2) x!
Click OK
€B Administrators (NWTRADER
€F Authenticated Users
€B Domain Admins (NWTRADERS\Domain Admins)
Zi Enterprise Admins (NWTRADERS Enterprise Admins)
#2 rhviexrcnnrni=e PVR SATE OO Tome roe xi
| ——— J
Permissions for Account Operators Allow Dery
Full Control Oo Oo &
Read " Oo
Write 0 "
Create All Child Objects 0 oO Delete Ail Child Objects CI oO Generate Resultant Set of Policy{Logging) oO oO xÍ For special permissions of for advanced settings, :
Cancel Appiy |
& CS) Saved Quenes [Type ]
=) BP nwtraders.nsft Sectaty Grok):
> °VSIC ED —
{QZ Domain Controbers Xe Gep
3) Bg Acapulco Security Group
Ee =m Delegate Control Human Resources Personnel Read Securty Group
+) C]LostAndfound — Moye Human Resources Personnel Modify Security Group
+) Gj NTOS Quotas Find Human Resources Managers Read Security Group
4 Q) Program Data Human Resources Manager Modfy Security Group
2) CC] 5ystem New `
(5) Users Ad Tasks `
Yew >
Cut Delete
Rename Refresh Export List
Trang 8
sroups Properties E 2x
General | Managed By| Object Security | COM+| Group Policy |
VSIC.EDUCATION CORPORATION
Permissions for G NWTRADERS IT Personnel
€22 Domain Admins (NWTRADERS\Domain Admins)
€22 Enterprise Admins (NWT RADERS\Enterpise Admins)
Write
Create All Child Objects Delete All Chidd Objects Generate Resultant Set of Policy{Logging)}
Generate Resultant Set of Policy[Planning) Special Permissions
For special permissions or for advanced settings, click Advanced
led —-
Nhìn vào bảng permissions, ta thấy GNWTRADERS IT Personnel được Create, Delete
groups trong OU users
Permissions | Auditing | Quiner | Etfective Permissions |
To view more information about special permissions, select a permission entry, and then click Eda
oe nana SIC EDUCATION CORPORATION
G G NWTRADERS Ts
crak ae
‘ Creake/Delets Xe
By I Contze <not mher#ed›
Allow Damen Ala (NW Full Control <not inherited>
Allow Account Operators{ Create/Delete <not inherited>
Allow Accourt Operators{ Create/Delete <not inherited>
Allow Accourt Operators{ Create/Delete <not inherited>
Allow Prant Operators (NW Create/Delete <not mherted>
Add | Edt Remove |
This Sete and alc
This object only This object only This object only This object only This object only
Tis ect ory
vw Ee eee ae ee Denn 2 (eebe fo Ube Obect Scns OE Fd yacte-treniae
these with entries explicitly defined here
To replace all permission entries with the defauk settings, click Defauk Default