Inheritance and Delegation of Administration

Platform SDK: Active Directory, ADSI, and Directory Services

Inheritance and Delegation of Administration

Active Directory supports inheritance of permissions down the object tree to allow administration to be done at higher levels in the tree. This allows administrators to set up inheritable permissions on objects near the root (such as domain and organizational units) and have those permissions flow down automatically to various objects in the tree.

Inheritance can be set on a per-ACE basis. You can specify the following flags in the AceFlags to control inheritance of the ACE:

ADS_ACEFLAG_INHERIT_ACE: This flag causes the ACE to be inherited down in the tree.
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE: This flag causes the ACE to be inherited down only one level in the tree.
ADS_ACEFLAG_INHERIT_ONLY_ACE: This flag causes the ACE to be ignored on the object it is specified on and only be inherited down and be effective where it has been inherited.

In addition to setting inheritance, Active Directory supports object specific inheritance. This allows the inheritable ACEs to be inherited down the tree but be effective only on a specific type of object. This is extremely useful in delegating administration. For example, this can be used to set an object specific inheritable ACE at an organizational unit that allows a group to have full control on all user objects in the organizational unit but nothing else. Thereby, the management of users in that organizational unit gets delegated to the users in that group.

Security Groups and Delegation of Service Administration. Use Security groups to define and delegate administrative roles associated with your application server. For example, your service may be associated with a group MyService Admins. Users who are identified as the MyService administrators will be added to MyService Admins group. The setup program for MyService can set ACLs on the directory to allow MyService Admins sufficient permissions to read/write MyService-related attributes, create MyService specific objects, and so on.
Security Groups and Roles for Computers Running Your Service. Use security groups to define the set of computers that are granted access to your service's objects in the directory. For example, your service may be associated with a group MyService Servers. All computers running the MyService server are added to MyService Servers group and this group can then be given access to parts of the directory where MyService servers need to read/write information. The setup program for MyService can set ACLs on the directory to allow MyService Servers sufficient permissions to read/write MyService-related attributes, create MyService specific objects, and so on.