Module 10: Administering MMS Contents Overview Introduction to Administering Metadirectory Data Overview of Administrative Areas Access Control Settings for Administrative Areas Overriding the Administrative Area Security Policy 14 Collective Attributes 16 Best Practices 19 Lab A: Administering MMS 20 Review 21 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2000 Microsoft Corporation All rights reserved Microsoft, BackOffice, MS-DOS, Windows, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS Overview Slide Objective To provide an overview of the module topics and objectives ! Introduction to Administering Metadirectory Data Lead-in ! Overview of Administrative Areas ! Access Control Settings for Administrative Areas ! Overriding the Administrative Area Security Policy ! Collective Attributes ! Best Practices In this module, you will learn how to administer metadirectory data, including assigning permissions to secure the data and using collective attributes to define attributes for multiple object entries Administration of the metaverse namespace is typically performed through the authoritative connected directories There are two administrative tasks that you perform in the metadirectory itself: securing the metadirectory, and assigning collective attributes to the data Both of these are accomplished by working with administrative areas Administrative areas define a section of the metaverse namespace to which you can assign permissions and apply collective attributes This allows you to manage MMS in larger, more efficient, blocks of data At the end of this module, you will be able to: ! Identify the tasks required to administer metadirectory data ! Describe administrative areas, administrative points, and subentries ! Set access control settings for administrative areas ! Override access control settings for objects and attributes ! Describe and define collective attributes for administrative areas ! Identify best practices for administering the metadirectory BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS Introduction to Administering Metadirectory Data Slide Objective To introduce the concept of administering the metadirectory data ! Administering Metadirectory Data Includes Assigning Permissions and Collective Attributes Lead-in ! Administrative Areas Define the Scope of Administration in the Metaverse Namespace ! Security and Collective Attributes Subentries are Used to Define the Administration of the Administrative Area ! Security Can Be Applied on the Administrative Area, or on Individual Directory Entries ! Collective Attributes Can Only Be Applied on the Administrative Area You will use administrative areas to assign access permissions to a specific section in the metadirectory You can collectively administer metaverse data by using administrative areas An administrative area defines a section of the directory tree up that can be administered in a similar way Administrative areas control both the permissions applied to an object and the shared attributes that are common to all objects in the administrative area After you define an administrative area, you can set access control settings for the specific area that defines what permissions users have to the data These settings then become the security policy for the administrative area You can also set permissions on specific directory entries that are different from the default security policy Administrative areas also define the collective attributes that are shared by all objects in the area Use collective attributes for attribute values that are the same for all objects in the area Collective attributes are also used to manage administrative attributes, such as the attributes displayed on the entry’s properties sheet Collective attributes simplify MMS administration by offering a single point of entry for common organizational data, such as a mailing address or fax number Since collective attributes are read-only at the entry level, they are also used to enforce consistency for data that cannot change across the area BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS # Overview of Administrative Areas Slide Objective Lead-in Administrative Point Administrative Point Administrative Area Scope Administrative Area Scope Administrative Subentries Administrative Subentries Delivery Tip Be sure to explain what an administrative area is on this page An administrative area is a contiguous portion of the directory tree where a specific type of administrative authority is in control This administrative authority can either be the permission to modify the access control settings for the administrative area, or the permission to define collective attributes for the directory entries within that area The administrative area defines the scope of the authority exercised There are three key elements to understanding administrative areas: ! Administrative points An administrative area begins immediately below an object that is defined as an administrative point The administrative point represents the scope of the authority, extending down the directory tree until another administrative point exists, or until MMS reaches the end of the subtree ! Administrative subentries An administrative subentry identifies what kind of administration is exercised at the administrative point The subentry can determine either security or collective data for the administrative area For the administrative area to be effective, you must create an administrative subentry immediately below it ! Administrative area scope The scope of an administrative area is determined by the hierarchical position of the administrative point to which it is associated An administrative area controls every object in the tree below the administrative point, until another administrative point, or the end of the tree, is reached BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS What Are Administrative Points? Slide Objective ! Administrative Points Define the Starting Point of the Administrative Area ! There are Three Default Administrative Points: Lead-in $ The Known Universe $ Top of the Naming Context $ Top of the Connector Namespace ! ! Delivery Tip To illustrate administrative points, open the Administration dialog box and point out the Admin Point check box Any Container Object in the Directory Tree Can be Configured as an Administrative Point Use the Entry Administration Dialog Box to Configure a Container Object as an Administrative Point Administrative points are directory entries that represent the point in the metaverse namespace where an administrative area begins These directory entries enable you to define access control settings and collective attributes for specific sections of the directory tree You can create an administrative point by changing the Directory Specific Entry (dseType) attribute of an existing container object By creating administrative points throughout the directory tree you can map the administrative areas to your organizational structure When the default metadirectory database is initialized, three administrative points are created These are the default administrative areas for the metaverse namespace: ! The root (also called The Known Universe) ! The beginning of the naming context (for example, dc=Contoso) ! The beginning of the connector namespace (for example, MetaServer) For each of these default administrative points, there are administrative subentries that enable you to define permissions and collective attributes for the administrative area You can create additional administrative points in the directory tree to apply administrative authority specifically to that administrative area For example, you can create an administrative point at the organization level, whereby all of the directory entries under that point are to be administered differently than entries outside of the administrative area To create an additional administrative point in the metadirectory, either create a new directory entry in the tree, or select an existing entry that represents the starting point for the new administrative area Use the Entry Administration dialog box to set the dseType to Admin Point BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS What Are Administrative Subentries? Slide Objective Lead-in ! Administrative Subentries are Created to Contain the Settings for the Administrative Authority ! There are Two Types of Administrative Subentry: $ $ ! Access Control Subentries Collective Attributes Subentries Each Administrative Point can have One or More Administrative Subentry Administrative subentries are MMS directory entries that define administrative information for the entire administrative area with which they are associated Administrative areas are used to define either the security policy or the collective attributes for the administrative area Administrative subentries are located in the directory tree directly beneath the administrative point for which they are controlling You can create multiple administrative subentries for an administration point Key Points Administrative subentries are located in the directory tree directly beneath the administrative point for which they are controlling MMS creates several default administrative subentries when the directory is initialized These areas form the default administrative boundaries for the metaverse namespace The following table identifies the default administrative subentries Administrative Area Administrative Subentry Root (The Known Universe) Root Collectives Root Security Naming Context (Context Prefix) Context Security Context Shared Data Connector Namespace (Application Name) Connector Space Collectives Connector Space Security You can create one or more administrative subentries for each administrative point in the metadirectory tree Each administrative subentry is either an access control subentry or a collective attribute subentry It is not necessary to use both types of subentries for every administrative point in the directory BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS To create an administrative subentry, perform the following steps: Select the administrative point for which you are administering authority and insert a new object To insert a new directory entry object, first select the container object under which the object will be located Right-click the container object and click Insert On the Administrative tab, choose either Access Control Subentry or Collective Attribute Subentry Give the subentry a name that clearly denotes the role of the object For example, if you are creating an access control subentry for an organizational unit named Sales, name the administrative subentry Sales Security The subentry can now be easily identified when viewing the directory tree Configure the access control settings for the administrative area BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS Administrative Area Scope Slide Objective Administrative Area Scope Lead-in vancouverdom Applications Metaverse Claims Executives Alli Snelgrove Allianora Chhetri Allie Rzepczynski Alysa Eaton Executives Collectives Executives Security Context Context Admin Area Admin Area Admin Point Admin Point Executives Executives Admin Area Admin Area Administrative Administrative Subentries Subentries Investigations Marketing Money Dept Sales Context Security Context Shared Data The starting point of an administrative area is defined by the position of the administrative point in the directory tree Administrative points can be some point in the tree that marks the start of some organizational structure, such as the container object for an organizational unit You can also create additional administrative points throughout the tree by creating additional directory objects The access control permissions you define in a subentry apply to all entries below its administration point until the next administration point is reached, or until you reach the bottom of the directory tree Previous settings that were inherited from a higher subentry are replaced by the permissions you define in the subentry BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS # Access Control Settings for Administrative Areas Slide Objective Lead-in ! Defining User Classes For Assigning Permissions ! Using MMS Built-in Security Roles ! Setting Read and Modify Permissions ! Differentiating Between Granting and Denying Access Access control settings in MMS can be applied to a directory entry object, or to an administrative area Regardless of where you apply access control settings, the types of permission you can assign are the same The two categories of access control permissions are read and modify MMS defines three user classes for the purpose of assigning permissions These user classes enable you to efficiently configure access control settings by assigning permissions to the user class, rather than adding individual users to the access control list There are also three built-in security roles in MMS that have default permissions to the metadirectory There are three directory entries created for these roles by default, and you can also add specific individuals to these roles These individuals then possess the same access control permissions as the default security roles Access control settings can either be inclusive or exclusive When setting the access control permissions for an object, you can choose to either grant or deny permissions to users, or classes of users BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS Defining User Classes for Assigning Permissions Slide Objective Lead-in Self = Read + Modify Superior = Read Specific (* = *,ou=Entertainment,dc=c ontoso,dc=com) = Read Access Control Subentry There are three classes of users for whom you can specify access control You can use these classes, as well as specific users, when assigning permissions to metaverse data The following user classes are available when assigning permission in MMS: Key Points Because you can specify different permissions for specific individuals or classes of users, the most specific entry, or the best match, on the Permissions granted to list, is what is applied ! Anyone This class includes anyone who can access the directory, including anonymous logons and Web browser users ! Self This class includes only the person (or other entity) represented by this directory entry object ! Superior This class includes any directory object entry that is higher in the directory tree than this particular entry, but within its security administrative area When assigning permissions, you can also select the Specific option, and then add individual users, or lists, to the permissions list Specific does not specify a class of user, but rather indicates an individual directory entry object This object can represent a user, or a group of users, such as a list or organizational unit For individual or group entries, click the Select button then drag and drop their icons onto the Permissions granted to list from the directory tree You can include all child objects of a container object, such as an organizational unit, by using the asterisk (*) wildcard character For example, to include all entries under the Sale organizational unit, type *=*,ou=Sales,dc=contoso,dc=com in the Specific text field Because you can specify different permissions for specific individuals or classes of users, the most specific entry, or the best match, on the Permissions granted to list, is what is applied BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 10 Module 10: Administering MMS Using Built-in MMS Security Roles Slide Objective This Role This Role Lead-in Has These Permissions Has These Permissions Administrator Administrator Read and write permission to any object in the Read and write permission to any object in the directory directory Operator Operator Can see and execute the MA Configure and Can see and execute the MA Configure and Operate actions Operate actions Has access to the Access Control action and Has access to the Access Control action and security subentries at the Root, Context, and security subentries at the Root, Context, and Security Officer Connector Namespace Administrative points Security Officer Connector Namespace Administrative points Read and modify permission throughout most of Read and modify permission throughout most of the directory for security administration the directory for security administration There are three role-related directory entries, all of which are located immediately under the server entry in the directory tree Each of these entries has access to a different portion of the directory that corresponds to the responsibilities of the role Each of these role-related directory entries also has unique permissions to the directory: ! Administrator This directory entry object has permission to read or modify any object in the directory, except those objects to which it is specifically denied access When you install MMS, Administrator is the only directory entry that has a password, and it is the identity by which you must first log on ! Operator This directory entry object is granted access to parts of the directory that are related to its ongoing operation The Operator can see and execute the management agent Configure and Operate actions, but not the Design action You must assign a password to this entry to log on as Operator ! Security Officer This directory entry object can see and modify those parts of the directory that are related to administering access control settings These directory parts include the Access Control action and the security subentries at the Root, Context, and Connector Namespace administrative points The Security Officer role also has read and modify permission throughout most of the directory for general security administration Like the Operator, this entry cannot be used until one is assigned BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS 11 Role Lists Topic Objective ! Lead-in There are Three Default Role Lists, Located in the OU Created to Contain the MMS Server: $ Directory Administrators $ Directory Operators $ Security Officers ! All Members of Role Lists Have the Same Permissions as the Corresponding Role-Related Entries ! By Default, the Three Role-Related Entries are the Only Members of the Role Lists ! Drag and Drop Other Users in the Directory Tree Onto the Role List Entry to Make Them a Member of the List In addition to the three role-related directory entries, MMS creates three corresponding role lists These lists are created immediately under the Applications (server name) entry in the tree A role list is a container that enables you to give other directory entries the same rights and permissions to the metadirectory as the role-related entries themselves By default, the three role-related entries are the only members of the role lists The following are the role-related lists created when you install MMS: ! Directory Administrators All members of this list have the same rights and permissions as the Administrator An alias to the Administrator entry is the only initial member of this list ! Directory Operators All members of this list have the same rights and permissions as the Operator An alias to the Operator entry is the only initial member of this list ! Security Officers All members of this list have the same rights and permissions as the Security Officer An alias to the Security Officer entry is the only initial member of this list To add another directory object entry to a role list, drag and drop the entry onto the role list name in the directory tree When prompted, created an alias to the directory entry in the list When you add a user entry to the list, that user now has all the access control permissions of the role-related entry BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 12 Module 10: Administering MMS Setting Read and Modify Permissions Slide Objective Lead-in This Administration Area’s Security Policy Read or Modify Modify Read or Admin Area’s Read and Browse Permissions Admin Area’s Create, Modify or Delete Permissions Permission granted to: Anyone cn=Administrator,DsaName=vanco Entry can be seen Access is granted or denied to the Attributes in this list: Granted Denied all attributes New Anyone Self Superior Specific: Delete New Granted or Granted or Denied Denied Delete Help… User Class User Class Select… Anyone OK Cancel To set the security policy for an administrative area, you must first create an administrative subentry directly beneath the administrative point The permissions for this subentry identify the access control settings for the directory entries located in the administrative area Delivery Tip Demonstrate the setting of read and modify permissions in the This Area’s Permissions dialog box When you create or join a new directory entry to the metaverse namespace, it inherits the default security of its administrative area The access control settings for the default security subentries define the initial permissions for every entry in the directory tree These subentries are found beneath the Root, Context, and Connector Space administrative points The process of setting permissions for the administrative area is similar to setting access control for an object or attribute The list of permissions that you can grant or deny, however, is slightly different Read Permission Read permissions specify who is allowed to read and browse a directory entry If this access control permission is granted, the user can view the entry icon and the attributes of this entry Read permissions can be granted or denied for all of an entry’s attributes, or for a list of specific attributes When you assign read permissions for an administrative area, you also have the option to configure whether or not the entries are visible in the tree, for a particular user or class of user Modify Permission Modify permissions specify who is allowed to modify entry attribute values Like the read permission, modify can also apply to all attributes, or to a specific list of attributes There is also an option on the Modify tab of the This Administration Area’s Permissions dialog box to control whether or not the selected user, or class of user, can create or create or delete entries BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS 13 Granting and Denying Access Slide Objective Lead-in Create the Administrative Point Create the Access Control Subentry Open the Subentry Properties Add the Specific Users or Class Choose to Grant or Deny Access Assign to All or Specific Attributes When assigning permissions to entries in an administrative area, you can either grant or deny access control Granting access control enables the user to either read or modify a directory entry object or its attributes Denying access control prevents the user from reading or modifying the object or attribute To grant or deny permissions, perform the following steps: In the This Administration Area’s Permissions dialog box, add the user or class of user for whom you want to grant or deny access control You can select to assign permissions to either Anyone, Self, Superior, or Specific User If you are assigning permissions to a specific user, you can either type their distinguished name, or drag and drop the user by clicking Select Select Granted or Denied By default, this setting affects all attributes of an entry Ensure that All Attributes is selected in the attributes list To secure specific attributes, click New and type the name of the attribute to which you want to control access Add additional users, or classes of user, and attributes, until the access control settings are complete Click New under the Permissions Granted To: text field The new item in the list defaults to Anyone Select the user class, or the specific user, to whom you want to grant or deny permissions BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 14 Module 10: Administering MMS Overriding the Administrative Area Security Policy Slide Objective Lead-in ! You can Override the Security Policy for the Administrative Area by Setting Permissions on the Individual Entry ! Access Control Settings on the Individual Directory Entry Always Override the Security Policy for the Administrative Area ! Permissions on Entries are the Same as Permissions for Administrative Area $ Read $ Modify Administrative area permissions provide the default security for all entries in the metaverse namespace You can override this default security policy by changing the access control settings on the directory entry object itself You would this in situations where the security needs for an individual entry are different from the administrative area itself Access control entries placed on objects always override the entries inherited from the controlling subentry You can specifically configure access control settings for the entry in the This Entry’s Permissions dialog box As with Administrative Area security policy, there are two categories of permissions: read and modify To display the permissions for an entry, select the entry in the directory tree and click the Access Control action button To set permission for an entry, perform the following steps: Select the directory entry in the tree Click the Access Control action button Configure the entry’s read and modify permissions Note The process of setting permission for the directory entry is the same as for administrative areas There are only a few differences in the two dialog boxes For example, you not have the option to grant or deny the create permission at the entry level BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS 15 If your goal is to change the security for a group of entries, rather than an individual entry, then you can create a new administrative area that has different access control settings For example, if you have an administrative area where users are granted the permission to change their own personal identity data, but you not want to extend this permission to temporary employees, you can create an additional administrative point above the temporary employees in the tree, and deny modify permission in the security subentry for this new administrative area Important By denying access to the Anyone user class, you can effectively lock yourself out of an entry If you have configured access control settings on an entry such that you can no longer modify it, stop the MMS Server service, then start it from the command line using the –nosecurity switch Then you can whatever you like BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 16 Module 10: Administering MMS # Collective Attributes Slide Objective Lead-in ! What are Collective Attributes? ! Setting Collective Organizational Information In addition to defining security policy boundaries, administrative areas are also used to define the collective attributes of entries in the directory tree Collective attributes are shared directory entry properties Similar to access control settings, collective attributes are specific to the administrative area, and are configured by creating a collective attribute subentry beneath the administration point The administrative area defines the scope of collective attributes — it extends down the directory tree until another administration point is reached, or until MMS reaches the end of the tree There are two types of collective attributes: organizational and administrative Organizational data includes attributes that represent identity information common to all entries in an organization Administrative data includes information associated with an administrative area that determines how the entries are administered in the metadirectory BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS 17 What are Collective Attributes? Slide Objective Using Collective Attributes, You Can Set: Lead-in ! Organizational Information: $ $ Organization Information $ ! Telephone Numbers Address Information Administrative Information: $ Home Server $ Formsets $ Profiles Collective attributes are a subset of attributes that are inherited from the administrative area in which the entry is located These attributes are applied to every entry in the administrative area, and can include telephone, address, and other organizational information This information is displayed on the Organizational Info tab of an entry’s properties Collective attributes are also used to define administrative attributes, such as the home server, formsets, and profiles location for the administrative area Unlike access control settings, you cannot modify collective attribute values in individual directory entries While collective attributes appear in the entry’s properties, they are read-only Collective attributes can only be changed or deleted from within the collective attribute subentry dialog box itself An organization’s shared data is typically defined in the subentry at the beginning of the naming context, although you can create additional administrative subentries to configure specific sections of the directory tree You can also add your own collective attributes by creating new attributes and adding them to a subentry’s form BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 18 Module 10: Administering MMS Setting Collective Organizational Information Slide Objective Lead-in Create or open the Collectives Subentry Open the Subentry Properties Type the attribute values There are three default collective attribute subentries for the default administrative areas in the metadirectory If you are defining a new administrative area, insert a new collective attributes subentry directly beneath the administration point To set collective attributes for an administrative area, perform the following steps: Select or create the collective subentry for the administrative area Open the property sheet for the collective attributes administrative subentry On the Organizational Information and the Homeserver, Formsets and Profiles tab type the shared data for all entries in the area BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS 19 Best Practices Slide Objective Lead-in ! Use the directory administrators list when assigning permissions to MMS administrators ! Only allow directory administrators to view subentries ! Grant read and modify permissions to directory administrators for the entire administrative area ! Grant read and modify permissions to the Self user class for the administrative area ! Grant read and modify permissions to the Superior user class for directory entries The following list represents the best practices for securing the metadirectory data: ! Only use the Administrator role-related entry as a backdoor to gain access to otherwise locked out entries Since it is possible to lock out specific entries from modifying directory entry objects, use the directory administrator's list when assigning permissions to MMS administrators ! Create an access control entry on the security subentry and grant read and modify permissions to the directory administrator's list This prevents you from being able to modify the permissions for the administrative area The access control setting for the subentry overrides the settings for the administrative area ! Create an access control entry for the security subentry that only grants the view permission to the directory administrator's list This will make this subentry not be displayed in the directory tree for anyone other than directory administrators ! Grant read and modify permissions for administrative subentriesto the Self user class so that each user has control over their own data ! Grant read and modify permissions to the Superior user class for directory entry objects BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 20 Module 10: Administering MMS Lab A: Administering MMS Slide Objective To introduce the lab Lead-in In this lab, you will Explain the lab objectives Lab.doc BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS 21 Review Slide Objective To reinforce module objectives by reviewing key points Lead-in The review questions cover some of the key concepts taught in the module ! Introduction to Administering Metadirectory Data ! Overview of Administrative Areas ! Access Control Settings for Administrative Areas ! Overriding the Administrative Area Security Policy ! Collective Attributes ! Best Practices Users in your organization must have the ability to modify their own identity data by using MMS Compass How can you administer the metadirectory to achieve this goal? Ensure that all user entries are located in the default Context administrative area Configure the access control subentry for the naming context (Context Security) to grant read and modify permission to the Self user class for all of the attributes you want the user to control Temporary employees in your organization must not be able to modify their data How can you administer your metadirectory to achieve this goal? Create an organizational unit for temporary employees and configure this entry as an Admin Point Create an access control subentry for this administrative area that denies modify permission to the Self user class for all attributes Human Resource Department personnel in your organization must be able to modify the Hire Date attribute for their direct reports How can you administer the metadirectory to achieve this goal? For each administrative area that is controlling, grant read and modify access control settings for the Hire Date attribute to everyone in the Human Resources container object For example, in the Specific field, type * = *,ou=HR,dc=vancouverdom,dc=Contoso,dc=com BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 22 Module 10: Administering MMS You are the lead MMS administrator for you organization You have noticed that other administrators have modified the security policy for different administrative areas in the metadirectory tree How can you configure the access control subentries so that other MMS administrators are unable to modify the properties of these entries? The access control subentry is subject to the security policy defined for its administrative area You can override whatever permissions are inherited by the subentry by defining permissions on the subentry itself Open the This Subentry’s Permissions dialog box and deny modify permission to the Directory Administrators List, and grant modify permission to you Every user in your organization shares a common office address and office fax number Currently, when a new user object is created in the connected directory, this information is entered every time How can you administer the metadirectory to automatically assign these attribute values to every user in the organization? For the administrative area, configure the collective attributes for this organizational information Configure the necessary management agents to treat the metaverse namespace as authoritative for these attributes so that the connected directory is updated with these attribute values If a modification needs to be made, it only needs to be made in one place and all the metaverse namespace entries will be updated Then when the management agents run, they will propagate the change to their associated connected directory You have inadvertently set the access control settings on an administrative subentry object to deny modify permission to the Anyone user class Now you find that, even when logged on as Administrator, you not have permission to modify this entry How can you administer the metadirectory to modify the permissions for this subentry? It is possible to lock out the administrator from modifying specific directory entries, but denying access to the Anyone user class If this happens, stop the MMS Server service, and restart the service by typing viaserver –nosecurity from the command line BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY ... TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS Overview Slide Objective To provide an overview of the module topics and objectives ! Introduction to Administering Metadirectory Data... Identify best practices for administering the metadirectory BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 10: Administering MMS Introduction to Administering Metadirectory... MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 20 Module 10: Administering MMS Lab A: Administering MMS Slide Objective To introduce the lab Lead-in In this lab, you will