email article printer friendly

Manage security in Active Directory
by Joel Semeniuk

Tools such as NetIQ's Directory Security Administrator (DSA) are increasingly important as organizations work to unify and enforce AD security policies throughout the enterprise. Unfortunately, the AD admin tools that ship with Windows 2000 don't make this an easy task. DSA provides administrators with an extended view of security throughout Active Directory (AD) and includes functionality not available in Windows 2000 default administrative tools, such as the ability to search AD for specific permissions as well as easily distinguish between explicit and inherited permissions on AD objects. DSA allows experienced administrators to display, search, filter, edit, and audit permissions on objects within AD.

I evaluated DSA on both Windows XP (with the latest Windows XP Administration Tools pack release) and Windows 2000 Server. In both cases the installation went smoothly. You can choose from a few options during installation, depending on your level of integration with Active Directory Users and Computers. First, you can simply install the DSA Permissions Explorer and DSA Search applications. The second option installs the AD component, which allows you to launch DSA Permissions Explorer and DSA Search from Active Directory Users and Computers. The third installation option redirects you to NetIQ's site to check out the DSA Web Console technology preview that enables you to remotely manage AD security using a browser.

Seek and Find

After installation, I dove into the DSA Permissions Explorer, which has an interface similar to Active Directory Users and Computers. Its three panes include the Tree Pane, which shows the AD tree structure of the target domain; the Results Pane, which shows the contents of the selected container; and the Permission Entries Pane that lists the Access Control Entries (ACE) for the currently selected object. You use ACEs to identify security principles and their permissions to objects—managing ACEs effectively is the whole purpose of DSA.

The list of ACEs in the Permissions pane enables you to ascertain quickly the permissions assigned to security principles throughout AD and determine whether permissions are explicitly or inherently set on objects. You can filter the listed ACEs in the Permissions Pane to display only those entries that apply to a specific security principle. DSA also allows administrators with the appropriate authority to modify permissions directly using the Edit Security feature.

DSA Search is one of the more important features of this product. It helps search for objects in AD based on a set of criteria you specify. This is an extremely powerful and much needed feature that allows administrators to quickly determine the source of permissions for certain objects within AD.

In all, I found DSA to be lean and feature specific; its features, combined with ease of use, are essential for effective enterprise security administration—especially with today's high security concerns. However, I would recommend using DSA only as one part of a complete administration suite. I don't think that DSA's features allow it to stand on its own because its features are too specific to certain administrative tasks. NetIQ usually provides lengthy evaluation periods for its products, so consider downloading the product from NetIQ to see if it fits your organization's needs.

About the Author
Joel Semeniuk is vice president of software development, and heads up all new development projects for ImagiNET Resources Corp., a highly specialized Microsoft Gold Partner in e-commerce based in Canada. Reach him by e-mail at .