Planning Distributed Security |
ACLs describe the groups and individuals who have access to specific objects in Windows 2000. The individuals and security groups are defined in the Active Directory Users and Computers snap-in to MMC. Many types of Windows 2000 objects have associated ACLs, including all Active Directory objects, local NTFS files and folders, the registry, and printers. The granularity of ACLs is so fine that you can even place security access restrictions on individual fonts.
Access control lists implement usage restriction strategies. Windows 2000 offers a very fine degree of security control over access to a wide variety of objects. To give a group access to an object, you add the group to the ACL of the object. Then you can adjust the specific permissions that the group can exercise over the object. In terms of a local file folder, for example, the available permissions for a group begin with read, write, modify, and delete, but those are only the first four of thirteen available permissions.
Access control lists are pervasive throughout Windows 2000. The only prerequisite is that ACLs are lists of security groups and users. You must define the groups that describe your organization project teams or business roles before adding them to the ACLs.
The access control list for an object is generally found in the Security tab of the property sheet. This tab shows the list of groups that have access to this object, plus a summary of the permissions enjoyed by each group. There is an Advanced button that displays the group permissions in detail so that users can use more advanced features for granting permissions, such as defining access inheritance options.
For example, to view the access control list for a printer, click Start, and then point to Settings. Point to the folder that contains Control Panel, and then click Printers. Right-click a printer and select Properties. The access control list for that printer is in the Security tab.
To see the access control list for a local file folder, open My Computer and use Explore to navigate to the folder. Right-click the folder. Point to Properties, and click the Security tab.
To view the access control list of an organizational unit (folder) in the Active Directory Users and Computers MMC snap-in, you must open the View menu and select Advanced Features. Otherwise, the Security tab is not visible in the Properties dialog box.
For additional information about access control and ACLs, open Windows 2000 Server Help and click the Index tab. Scroll to Access Control. There are many related topics in the index because ACLs are available throughout the product.