Isolation of organization information in Active Directory

In a shared hosting configuration implemented by Microsoft Provisioning System, different organizations exist in the same domain. In this environment, it is important to ensure that only authorized users can access the information and configuration settings for a given organization.

This topic discusses how Microsoft Provisioning System uses access control entries (ACEs) to isolate organizations so that users in one organization cannot view or edit information about another organization in Active Directory or Delegated Administration Console. This topic assumes that you are familiar with basic Active Directory concepts and have reviewed the information in Implemented Active Directory groups and Active Directory hosting configuration.

Using the List Contents ACE to control access

The List Contents access control entry (ACE) controls the ability of user accounts and groups to view the contents of a container object, such as an organizational unit. Granting the List Contents permission on an object to a user account or group allows that user account or group to view all of the objects in the container object. Additional ACEs determine the type of access allowed to the object; for example Read, Write, and so forth.

Limitations of the List Contents ACE

In a shared hosting environment, it is important to allow users to access only their own organization and its information. The List Contents ACE is normally used to control the visibility of information in a directory. However, due to the hierarchical structure of the Microsoft Provisioning System hosting configuration, you cannot control access by using the List Contents ACE alone.

In order to enable delegated administration, Microsoft Provisioning System creates a hierarchical directory structure, with the hosting container at the top level, and reseller and customer organizational units nested within it. In this scenario, using the List Contents ACE would allow users to view not only their own organization, but others contained by the parent organization as well. For example, if you granted List Contents permissions on the hosting organizational unit to reseller user accounts, they could view not only their own organization, but all of those contained within hosting.

Using the List Object ACE to limit viewing privileges

In order to control who has privileges to view specific objects within an organizational unit, Microsoft Provisioning System uses a special feature of Active Directory called list object mode. This mode is configured during Microsoft Provisioning System installation when you run the dheuristics script, as described in Performing installation tasks. When list object mode is enabled for Active Directory, a new List Object ACE (ADS_RIGHT_DS_LIST_OBJECT) becomes available for objects in the directory. This ACE gives more refined access control because, used in combination with other ACEs, it allows you to specify exactly which user accounts and groups can access exactly which objects within a given container object.

The List Object ACE does not grant or deny access on its own; it simply controls whether or not Active Directory checks a user account's or group's permissions on a requested object. If the user account or group has been granted List Object permissions on the parent object—in other words, the object that contains the requested object—then Active Directory checks the user account or group's permissions on the requested object and grants or denies access accordingly. If the user account or group does not have List Object permissions on the parent object, Active Directory denies all access to the requested object. This prevents the user account or group from viewing the requested object in the directory.

For example, if object A contains object B, and a user account requests object B, Active Directory first checks to see whether or not the user account has been granted List Object permissions on object A. If so, Active Directory checks the user account's permissions on object B and grants or denies access accordingly. If not, Active Directory returns an Access Denied error.

Using a combination of ACEs to isolate organization information

Microsoft Provisioning System uses the List Object ACE in combination with other ACEs to give user accounts access to specific organizations and no others, as follows: On the hosting organizational unit, for example, List Object permission is granted to the allusersgroups group. This group contains the allusers@hosting as well as the allusers@reseller_domain groups for any reseller organizations, thereby encompassing all user accounts in the hosting and reseller organizations.

The List Object ACE tells Active Directory to check the permissions of a member of allusersgroups on a requested object in hosting. Additional ACEs set on the objects within hosting grant and deny specific types of access to specific members of allusersgroups. They allow members of reseller organizations to view their own organizations, and grant access by members of the hosting organization to all reseller organizations. For example, ACEs on an organization named reseller1 grant access to user accounts contained in the allusers@hosting and allusers@reseller1 groups. Only members of these two groups can access, or even view, reseller1 and its objects.

The same approach is used at the customer organization level. In this case, the List Object ACE is set on the reseller organization that contains the customer organization. It grants List Object permissions to members of allusers@reseller_domain. Additional ACEs set on the customer organization grant access to allusers@hosting, allusers@reseller_domain, and allusers@customer_domain.

For a complete list of ACEs set by Microsoft Provisioning System, see Implemented access control entries.