Permission in AD are privileges granted to users or groups to perform certain operations on objects. Permissions are usually granted by object owners or administrators.
Users and groups are assigned permissions (to read, write, create child objects etc.) over objects in AD. These permissions can be of two types:
- Standard permissions which include common permissions such as full control, read, write etc.
- Special permissions which are more privileged like modify permissions, modify owner etc.
Permissions on objects can be assigned in two ways
- 1. By configuring GPOs using the group policy management console
- 2. By using the security tab in the object’s properties dialogue box.
Permissions on objects can be inherited in two ways.
- 1. From the parent object class using which the object was created
- 2. From the groups to which the object has been added
Due to various inheritance and assignments, conflicting permissions may be assigned to an object. In such scenarios deny permissions take precedence over allow permissions. Say for example
- A subject A belonging to group B
- A is granted permission to read C
- B is denied permission to read C
- When A tries to read C it will be denied the privilege.
You can view the permissions on an object in the user interface in the security tab of object’s properties.