X hits on this document

301 views

0 shares

0 downloads

0 comments

29 / 123

Preparing a Locked Down Active Directory Domain Services

Organizations often lock down Active Directory Domain Services (AD DS) to help mitigate security risks. However, a locked-down Active Directory environment can limit the permissions that Office Communications Server 2007 R2 requires. Properly preparing a locked down Active Directory environment for Office Communications Server involves some additional considerations and steps.

Two common ways in which permissions are limited in a locked-down Active Directory environment are as follows:

Authenticated user access control entries (ACEs) are removed from containers.

Permissions inheritance is disabled on containers of User, Contact, InetOrgPerson, or Computer objects.

In This Section

Authenticated User Permissions Are Removed

Permissions Inheritance Is Disabled on Computers, Users, or InetOrgPerson Containers

Authenticated User Permissions Are Removed

In a locked-down Active Directory Domain Services (AD DS) environment, authenticated user access control entries (ACEs) are removed from the default Active Directory containers, including the Users, Configuration or System, and organizational units (OUs) where User and Computer objects are stored. Removing authenticated user ACEs prevents read-access to Active Directory information. However, removing the ACEs creates problems for Office Communications Server, because it depends on read permission to these containers to allow users to run domain preparation.

In this situation, membership in the DomainAdmins group, which is required to run domain preparation, server activation, and pool creation, no longer grants read access to Active Directory information stored in the default containers. You must manually grant read-access permissions on various containers in the forest root domain to check that the prerequisite forest preparation procedure is complete.

To enable a user to run domain preparation, server activation, or pool creation on any non-forest root domain, you have the following options:

Use an account that is a member of the EnterpriseAdmins group to run domain preparation

Use an account that is a member of the DomainAdmins group and grant this account read-access permissions on each of the following containers in the forest root domain:

Domain

Configuration or System

Document info
Document views301
Page views302
Page last viewedMon Dec 05 14:09:50 UTC 2016
Pages123
Paragraphs2763
Words27811

Comments