Isolate Organization Information in Active Directory
In the shared Active Directory configuration implemented by Microsoft Provisioning System (MPS), different organizations share the same domain. In this shared hosting environment, it is important to ensure that only authorized users can access the information and configuration settings for a given organization.
MPS uses access control entries (ACEs) to isolate organizations to prevent users in one organization from viewing or editing information about another organization in Active Directory or through the Delegated Administration Console.
You must set Active Directory to List Object mode as a prerequisite step for these procedures.
Use the List Contents ACE to Control Access
The List Contents ACE controls the ability of user accounts and groups to view the contents of a container object, such as an OU. Granting the List Contents permission on an object to a user account or group allows that user account or group to view all of the objects in the container object. Additional ACEs determine the type of access allowed to the object, such as Read or Write.
Limitations of the List Contents ACE
In a hosting environment, it is important to allow users to access only their own organization and its information. The List Contents ACE is normally used to control the visibility of information in a directory.
However, due to the hierarchical structure of the MPS hosting configuration, you cannot control access by using the List Contents ACE alone. In order to enable delegated administration, MPS creates a hierarchical directory structure, with the hosting container at the top level, and reseller and customer OUs nested within the hosting container. In this scenario, using the List Contents ACE will allow users to view not only their own organization, but others contained by the parent organization too. For example, if you grant List Contents permissions on the hosting OU to reseller user accounts, they can view not only their own organization, but all of those contained within the hosting environment.
Use the List Object ACE to Limit Viewing Permissions
To control who has permissions to view specific objects within an OU, MPS uses a special feature of Active Directory called List Object mode. You configure this mode running the MPS Configuration tool or by running the dsheuristics script provided in Microsoft Hosting Solutions for Service Providers.
When List Object mode is enabled for Active Directory, a new List Object ACE (ADS_RIGHT_DS_LIST_OBJECT) becomes available to objects in the directory. This List Object ACE provides more refined access control because, used in combination with other ACEs, it allows you to specify exactly which user accounts and groups can access exactly which objects within a given container object.
The List Object ACE does not grant or deny access. It simply controls whether or not Active Directory checks a user account or group's permissions on a requested object. If the user account or group has been granted List Object permissions on the parent object - in other words, the object that contains the requested object - then Active Directory checks the user account or group's permissions on the requested object and grants or denies access accordingly.
If the user account or group does not have List Object permissions on the parent object, Active Directory denies all access to the requested object. This prevents the user account or group from viewing the requested object in the directory. For example, if object A contains object B, and a user account requests object B, Active Directory first checks to see whether or not the user account has been granted List Object permissions on object A. If the user account has List Object permissions on object A, Active Directory checks the user account's permissions on object B and grants or denies access accordingly. If List Object is not granted to the user account on object A, Active Directory returns an Access Denied error.
Combine ACEs to Isolate Organization Information
MPS uses the List Object ACE in combination with other ACEs to give user accounts access only to specific organizations.
On the Hosting OU, for example, List Object permission is granted to the AllUsersGroups group. This group contains the AllUsers@Hosting and the AllUsers@reseller groups for any reseller organizations, thereby encompassing all user accounts in the hosting and reseller organizations. The List Object ACE has Active Directory check the permissions of a member of AllUsersGroups on a requested object in the Hosting OU. Additional ACEs set on the objects within Hosting grant and deny specific types of access to specific members of AllUsersGroups. These additional ACEs:
Allow members of reseller organizations to view their own organizations.
Grant access by members of the hosting organization to all reseller organizations.
For example, ACEs on an organization named reseller1, grant access to user accounts contained in the AllUsers@Hosting and AllUsers@Reseller1 groups. Only members of these two groups can access, or even view, reseller1 and its objects.
The same approach is used at the customer organization level. In this case, the List Object ACE is set on the reseller organization that contains the customer organization. The List Object ACE grants List Object permissions to members of AllUsers@reseller. Additional ACEs set on the customer organization grant access to AllUsers@Hosting, AllUsers@reseller, and AllUsers@customer.