Contents
Overview 1
Introduction to Administering Metadirectory
Data 2
Overview of Administrative Areas 3
Access Control Settings for Administrative
Areas 8
Overriding the Administrative Area Security
Policy 14
Collective Attributes 16
Best Practices 19
Lab A: Administering MMS 20
Review 21

Module 10:
Administering MMS
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles. Replace this example list with list of trademarks provided by copy editor.
Microsoft is listed first, followed by all other Microsoft trademarks in alphabetical order. > are
either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other
countries.

<This is where mention of specific, contractually obligated to, third party trademarks, which are
added by the Copy Editor>

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 10: Administering MMS 1

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Overview
!
Introduction to Administering Metadirectory Data

!
Overview of Administrative Areas
!
Access Control Settings for Administrative Areas
!
Overriding the Administrative Area Security Policy
!
Collective Attributes
!
Best Practices


Administration of the metaverse namespace is typically performed through the
authoritative connected directories. There are two administrative tasks that you
perform in the metadirectory itself: securing the metadirectory, and assigning
collective attributes to the data. Both of these are accomplished by working
with administrative areas. Administrative areas define a section of the
metaverse namespace to which you can assign permissions and apply collective
attributes. This allows you to manage MMS in larger, more efficient, blocks of
data.
At the end of this module, you will be able to:
!
Identify the tasks required to administer metadirectory data.
!
Describe administrative areas, administrative points, and subentries.
!
Set access control settings for administrative areas.
!
Override access control settings for objects and attributes.
!

Describe and define collective attributes for administrative areas.
!
Identify best practices for administering the metadirectory.


Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
how to administer
metadirectory data,
including assigning
permissions to secure the
data and using collective
attributes to define attributes
for multiple object entries.
2 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Introduction to Administering Metadirectory Data
!
Administering Metadirectory Data Includes Assigning
Permissions and Collective Attributes
!
Administrative Areas Define the Scope of
Administration in the Metaverse Namespace
!

Security and Collective Attributes Subentries are Used
to Define the Administration of the Administrative Area
!
Security Can Be Applied on the Administrative Area, or
on Individual Directory Entries
!
Collective Attributes Can Only Be Applied on the
Administrative Area


You can collectively administer metaverse data by using administrative areas.
An administrative area defines a section of the directory tree up that can be
administered in a similar way. Administrative areas control both the
permissions applied to an object and the shared attributes that are common to
all objects in the administrative area.
After you define an administrative area, you can set access control settings for
the specific area that defines what permissions users have to the data. These
settings then become the security policy for the administrative area. You can
also set permissions on specific directory entries that are different from the
default security policy.
Administrative areas also define the collective attributes that are shared by all
objects in the area. Use collective attributes for attribute values that are the
same for all objects in the area. Collective attributes are also used to manage
administrative attributes, such as the attributes displayed on the entry’s
properties sheet. Collective attributes simplify MMS administration by offering
a single point of entry for common organizational data, such as a mailing
address or fax number. Since collective attributes are read-only at the entry
level, they are also used to enforce consistency for data that cannot change
across the area.
Slide Objective

To introduce the concept of
administering the
metadirectory data.
Lead-in
You will use administrative
areas to assign access
permissions to a specific
section in the metadirectory.
Module 10: Administering MMS 3

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#
##
#

Overview of Administrative Areas
Administrative Point
Administrative Point
Administrative Subentries
Administrative Subentries
Administrative Area Scope
Administrative Area Scope


An administrative area is a contiguous portion of the directory tree where a
specific type of administrative authority is in control. This administrative
authority can either be the permission to modify the access control settings for
the administrative area, or the permission to define collective attributes for the
directory entries within that area. The administrative area defines the scope of

the authority exercised.
There are three key elements to understanding administrative areas:
!
Administrative points. An administrative area begins immediately below an
object that is defined as an administrative point. The administrative point
represents the scope of the authority, extending down the directory tree until
another administrative point exists, or until MMS reaches the end of the
subtree.
!
Administrative subentries. An administrative subentry identifies what kind
of administration is exercised at the administrative point. The subentry can
determine either security or collective data for the administrative area. For
the administrative area to be effective, you must create an administrative
subentry immediately below it.
!
Administrative area scope. The scope of an administrative area is
determined by the hierarchical position of the administrative point to which
it is associated. An administrative area controls every object in the tree
below the administrative point, until another administrative point, or the end
of the tree, is reached.
Slide Objective

Lead-in

Delivery Tip
Be sure to explain what an
administrative area is on this
page.
4 Module 10: Administering MMS


BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

What Are Administrative Points?
!
Administrative Points Define the Starting Point of the
Administrative Area
!
There are Three Default Administrative Points:
$
The Known Universe
$
Top of the Naming Context
$
Top of the Connector Namespace
!
Any Container Object in the Directory Tree Can be
Configured as an Administrative Point
!
Use the Entry Administration Dialog Box to Configure a
Container Object as an Administrative Point


Administrative points are directory entries that represent the point in the
metaverse namespace where an administrative area begins. These directory
entries enable you to define access control settings and collective attributes for
specific sections of the directory tree. You can create an administrative point by
changing the Directory Specific Entry (dseType) attribute of an existing
container object. By creating administrative points throughout the directory tree
you can map the administrative areas to your organizational structure.
When the default metadirectory database is initialized, three administrative

points are created. These are the default administrative areas for the metaverse
namespace:
!
The root (also called The Known Universe).
!
The beginning of the naming context (for example, dc=Contoso)
!
The beginning of the connector namespace (for example, MetaServer)

For each of these default administrative points, there are administrative
subentries that enable you to define permissions and collective attributes for the
administrative area.
You can create additional administrative points in the directory tree to apply
administrative authority specifically to that administrative area. For example,
you can create an administrative point at the organization level, whereby all of
the directory entries under that point are to be administered differently than
entries outside of the administrative area.
To create an additional administrative point in the metadirectory, either create a
new directory entry in the tree, or select an existing entry that represents the
starting point for the new administrative area. Use the Entry Administration
dialog box to set the dseType to Admin Point.
Slide Objective

Lead-in

Delivery Tip
To illustrate administrative
points, open the
Administration dialog box
and point out the Admin

Point check box.
Module 10: Administering MMS 5

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

What Are Administrative Subentries?
!
Administrative Subentries are Created to Contain the
Settings for the Administrative Authority
!
There are Two Types of Administrative Subentry:
$
Access Control Subentries
$
Collective Attributes Subentries
!
Each Administrative Point can have One or More
Administrative Subentry


Administrative subentries are MMS directory entries that define administrative
information for the entire administrative area with which they are associated.
Administrative areas are used to define either the security policy or the
collective attributes for the administrative area. Administrative subentries are
located in the directory tree directly beneath the administrative point for which
they are controlling. You can create multiple administrative subentries for an
administration point.
MMS creates several default administrative subentries when the directory is
initialized. These areas form the default administrative boundaries for the
metaverse namespace. The following table identifies the default administrative

subentries.
Administrative Area Administrative Subentry

Root (The Known Universe) Root Collectives
Root Security
Naming Context (Context Prefix) Context Security
Context Shared Data
Connector Namespace (Application
Name)
Connector Space Collectives
Connector Space Security

You can create one or more administrative subentries for each administrative
point in the metadirectory tree. Each administrative subentry is either an access
control subentry or a collective attribute subentry. It is not necessary to use both
types of subentries for every administrative point in the directory.
Slide Objective

Lead-in

Key Points
Administrative subentries
are located in the directory
tree directly beneath the
administrative point for
which they are controlling.
6 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


To create an administrative subentry, perform the following steps:
1. Select the administrative point for which you are administering authority
and insert a new object.
To insert a new directory entry object, first select the container object under
which the object will be located. Right-click the container object and click
Insert.
2. On the Administrative tab, choose either Access Control Subentry or
Collective Attribute Subentry.
3. Give the subentry a name that clearly denotes the role of the object.
For example, if you are creating an access control subentry for an
organizational unit named Sales, name the administrative subentry Sales
Security. The subentry can now be easily identified when viewing the
directory tree.
4. Configure the access control settings for the administrative area.

Module 10: Administering MMS 7

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Administrative Area Scope
Administrative Area Scope
vancouverdom
Applications
Metaverse
Claims
Executives
Investigations
Marketing
Money Dept
Sales

Context Security
Context Shared Data
Allianora Chhetri
Allie Rzepczynski
Alli Snelgrove
Alysa Eaton
Executives Collectives
Executives Security
Executives
Admin Area
Executives
Admin Area
Context
Admin Area
Context
Context
Admin Area
Admin Area
Administrative
Subentries
Administrative
Subentries
Admin Point
Admin Point


The starting point of an administrative area is defined by the position of the
administrative point in the directory tree. Administrative points can be some
point in the tree that marks the start of some organizational structure, such as
the container object for an organizational unit. You can also create additional

administrative points throughout the tree by creating additional directory
objects.
The access control permissions you define in a subentry apply to all entries
below its administration point until the next administration point is reached, or
until you reach the bottom of the directory tree. Previous settings that were
inherited from a higher subentry are replaced by the permissions you define in
the subentry.
Slide Objective

Lead-in

8 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#
##
#

Access Control Settings for Administrative Areas
!
Defining User Classes For Assigning Permissions
!
Using MMS Built-in Security Roles
!
Setting Read and Modify Permissions
!
Differentiating Between Granting and Denying Access



Access control settings in MMS can be applied to a directory entry object, or to
an administrative area. Regardless of where you apply access control settings,
the types of permission you can assign are the same. The two categories of
access control permissions are read and modify.
MMS defines three user classes for the purpose of assigning permissions. These
user classes enable you to efficiently configure access control settings by
assigning permissions to the user class, rather than adding individual users to
the access control list.
There are also three built-in security roles in MMS that have default
permissions to the metadirectory. There are three directory entries created for
these roles by default, and you can also add specific individuals to these roles.
These individuals then possess the same access control permissions as the
default security roles.
Access control settings can either be inclusive or exclusive. When setting the
access control permissions for an object, you can choose to either grant or deny
permissions to users, or classes of users.
Slide Objective

Lead-in

Module 10: Administering MMS 9

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Defining User Classes for Assigning Permissions
Access Control
Subentry
Self = Read + Modify
Superior = Read
Specific (* =

*,ou=Entertainment,dc=c
ontoso,dc=com) = Read


There are three classes of users for whom you can specify access control. You
can use these classes, as well as specific users, when assigning permissions to
metaverse data. The following user classes are available when assigning
permission in MMS:
!
Anyone. This class includes anyone who can access the directory, including
anonymous logons and Web browser users.
!
Self. This class includes only the person (or other entity) represented by this
directory entry object.
!
Superior. This class includes any directory object entry that is higher in the
directory tree than this particular entry, but within its security administrative
area.
When assigning permissions, you can also select the Specific option, and then
add individual users, or lists, to the permissions list. Specific does not specify a
class of user, but rather indicates an individual directory entry object. This
object can represent a user, or a group of users, such as a list or organizational
unit.
For individual or group entries, click the Select button then drag and drop their
icons onto the Permissions granted to list from the directory tree. You can
include all child objects of a container object, such as an organizational unit, by
using the asterisk (*) wildcard character. For example, to include all entries
under the Sale organizational unit, type *=*,ou=Sales,dc=contoso,dc=com in
the Specific text field.
Because you can specify different permissions for specific individuals or

classes of users, the most specific entry, or the best match, on the Permissions
granted to list, is what is applied.
Slide Objective

Lead-in

Key Points
Because you can specify
different permissions for
specific individuals or
classes of users, the most
specific entry, or the best
match, on the Permissions
granted to list, is what is
applied.
10 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Using Built-in MMS Security Roles
This Role
This Role
This Role
Has These Permissions
Has These Permissions
Has These Permissions
Administrator
Administrator
Read and write permission to any object in the
directory

Read and write permission to any object in the
directory
Operator
Operator
Can see and execute the MA Configure and
Operate actions
Can see and execute the MA Configure and
Operate actions
Security Officer
Security Officer
Has access to the Access Control action and
security subentries at the Root, Context, and
Connector Namespace Administrative points.
Read and modify permission throughout most of
the directory for security administration
Has access to the Access Control action and
security subentries at the Root, Context, and
Connector Namespace Administrative points.
Read and modify permission throughout most of
the directory for security administration


There are three role-related directory entries, all of which are located
immediately under the server entry in the directory tree. Each of these entries
has access to a different portion of the directory that corresponds to the
responsibilities of the role.
Each of these role-related directory entries also has unique permissions to the
directory:
!
Administrator. This directory entry object has permission to read or modify

any object in the directory, except those objects to which it is specifically
denied access. When you install MMS, Administrator is the only directory
entry that has a password, and it is the identity by which you must first log
on.
!
Operator. This directory entry object is granted access to parts of the
directory that are related to its ongoing operation. The Operator can see and
execute the management agent Configure and Operate actions, but not the
Design action. You must assign a password to this entry to log on as
Operator.
!
Security Officer. This directory entry object can see and modify those parts
of the directory that are related to administering access control settings.
These directory parts include the Access Control action and the security
subentries at the Root, Context, and Connector Namespace administrative
points. The Security Officer role also has read and modify permission
throughout most of the directory for general security administration. Like
the Operator, this entry cannot be used until one is assigned.
Slide Objective

Lead-in

Module 10: Administering MMS 11

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Role Lists
!
There are Three Default Role Lists, Located in the OU Created to
Contain the MMS Server:

$
Directory Administrators
$
Directory Operators
$
Security Officers
!
All Members of Role Lists Have the Same Permissions as the
Corresponding Role-Related Entries
!
By Default, the Three Role-Related Entries are the Only Members of
the Role Lists
!
Drag and Drop Other Users in the Directory Tree Onto the Role List
Entry to Make Them a Member of the List


In addition to the three role-related directory entries, MMS creates three
corresponding role lists. These lists are created immediately under the
Applications (server name) entry in the tree. A role list is a container that
enables you to give other directory entries the same rights and permissions to
the metadirectory as the role-related entries themselves. By default, the three
role-related entries are the only members of the role lists.
The following are the role-related lists created when you install MMS:
!
Directory Administrators. All members of this list have the same rights and
permissions as the Administrator. An alias to the Administrator entry is the
only initial member of this list.
!
Directory Operators. All members of this list have the same rights and

permissions as the Operator. An alias to the Operator entry is the only initial
member of this list.
!
Security Officers. All members of this list have the same rights and
permissions as the Security Officer. An alias to the Security Officer entry is
the only initial member of this list.
To add another directory object entry to a role list, drag and drop the entry onto
the role list name in the directory tree. When prompted, created an alias to the
directory entry in the list. When you add a user entry to the list, that user now
has all the access control permissions of the role-related entry.

Topic Objective

Lead-in

12 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Setting Read and Modify Permissions
This Administration Area’s Security Policy
Admin Area’s Read and Browse Permissions
Admin Area’s Create, Modify or Delete Permissions
Permission granted to:
Anyone
cn=Administrator,DsaName=vanco
Entry can be seen
Access is granted or denied to the
Attributes in this list:
Granted Denied

O
KCancel
New Delete New Delete
all attributes
Anyone
Self
Superior
Specific:
Anyone
Help…
Select…
Read or
Modify
Read or
Modify
Granted or
Denied
Granted or
Denied
User Class
User Class


To set the security policy for an administrative area, you must first create an
administrative subentry directly beneath the administrative point. The
permissions for this subentry identify the access control settings for the
directory entries located in the administrative area.
When you create or join a new directory entry to the metaverse namespace, it
inherits the default security of its administrative area. The access control
settings for the default security subentries define the initial permissions for

every entry in the directory tree. These subentries are found beneath the Root,
Context, and Connector Space administrative points.
The process of setting permissions for the administrative area is similar to
setting access control for an object or attribute. The list of permissions that you
can grant or deny, however, is slightly different.
Read Permission
Read permissions specify who is allowed to read and browse a directory entry.
If this access control permission is granted, the user can view the entry icon and
the attributes of this entry. Read permissions can be granted or denied for all of
an entry’s attributes, or for a list of specific attributes. When you assign read
permissions for an administrative area, you also have the option to configure
whether or not the entries are visible in the tree, for a particular user or class of
user.
Modify Permission
Modify permissions specify who is allowed to modify entry attribute values.
Like the read permission, modify can also apply to all attributes, or to a specific
list of attributes. There is also an option on the Modify tab of the This
Administration Area’s Permissions dialog box to control whether or not the
selected user, or class of user, can create or create or delete entries.
Slide Objective

Lead-in

Delivery Tip
Demonstrate the setting of
read and modify
permissions in the This
Area’s Permissions dialog
box.
Module 10: Administering MMS 13


BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Granting and Denying Access
Create the Administrative Point
Create the Access Control Subentry
Open the Subentry Properties
Add the Specific Users or Class
Choose to Grant or Deny Access
Assign to All or Specific Attributes


When assigning permissions to entries in an administrative area, you can either
grant or deny access control. Granting access control enables the user to either
read or modify a directory entry object or its attributes. Denying access control
prevents the user from reading or modifying the object or attribute.
To grant or deny permissions, perform the following steps:
1. In the This Administration Area’s Permissions dialog box, add the user or
class of user for whom you want to grant or deny access control.
You can select to assign permissions to either Anyone, Self, Superior, or
Specific User. If you are assigning permissions to a specific user, you can
either type their distinguished name, or drag and drop the user by clicking
Select.
2. Select Granted or Denied.
By default, this setting affects all attributes of an entry. Ensure that All
Attributes is selected in the attributes list. To secure specific attributes, click
New and type the name of the attribute to which you want to control access.
3. Add additional users, or classes of user, and attributes, until the access
control settings are complete.
Click New under the Permissions Granted To: text field. The new item in

the list defaults to Anyone. Select the user class, or the specific user, to
whom you want to grant or deny permissions.

Slide Objective

Lead-in

14 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Overriding the Administrative Area Security Policy
!
You can Override the Security Policy for the
Administrative Area by Setting Permissions on the
Individual Entry
!
Access Control Settings on the Individual Directory
Entry Always Override the Security Policy for the
Administrative Area.
!
Permissions on Entries are the Same as Permissions for
Administrative Area
$
Read
$
Modify


Administrative area permissions provide the default security for all entries in

the metaverse namespace. You can override this default security policy by
changing the access control settings on the directory entry object itself. You
would do this in situations where the security needs for an individual entry are
different from the administrative area itself. Access control entries placed on
objects always override the entries inherited from the controlling subentry.
You can specifically configure access control settings for the entry in the This
Entry’s Permissions dialog box. As with Administrative Area security policy,
there are two categories of permissions: read and modify. To display the
permissions for an entry, select the entry in the directory tree and click the
Access Control action button.
To set permission for an entry, perform the following steps:
1. Select the directory entry in the tree.
2. Click the Access Control action button.
3. Configure the entry’s read and modify permissions.


The process of setting permission for the directory entry is the same as
for administrative areas. There are only a few differences in the two dialog
boxes. For example, you do not have the option to grant or deny the create
permission at the entry level.

Slide Objective

Lead-in

Note
Module 10: Administering MMS 15

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


If your goal is to change the security for a group of entries, rather than an
individual entry, then you can create a new administrative area that has different
access control settings. For example, if you have an administrative area where
users are granted the permission to change their own personal identity data, but
you do not want to extend this permission to temporary employees, you can
create an additional administrative point above the temporary employees in the
tree, and deny modify permission in the security subentry for this new
administrative area.

By denying access to the Anyone user class, you can effectively
lock yourself out of an entry. If you have configured access control settings on
an entry such that you can no longer modify it, stop the MMS Server service,
then start it from the command line using the –nosecurity switch. Then you can
do whatever you like.


Importan
t

16 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#
##
#

Collective Attributes
!
What are Collective Attributes?

!
Setting Collective Organizational Information


In addition to defining security policy boundaries, administrative areas are also
used to define the collective attributes of entries in the directory tree. Collective
attributes are shared directory entry properties. Similar to access control
settings, collective attributes are specific to the administrative area, and are
configured by creating a collective attribute subentry beneath the administration
point. The administrative area defines the scope of collective attributes — it
extends down the directory tree until another administration point is reached, or
until MMS reaches the end of the tree.
There are two types of collective attributes: organizational and administrative.
Organizational data includes attributes that represent identity information
common to all entries in an organization. Administrative data includes
information associated with an administrative area that determines how the
entries are administered in the metadirectory.
Slide Objective

Lead-in

Module 10: Administering MMS 17

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

What are Collective Attributes?
Using Collective Attributes, You Can Set:
!
Organizational Information:
$

Telephone Numbers
$
Organization Information
$
Address Information
!
Administrative Information:
$
Home Server
$
Formsets
$
Profiles


Collective attributes are a subset of attributes that are inherited from the
administrative area in which the entry is located. These attributes are applied to
every entry in the administrative area, and can include telephone, address, and
other organizational information. This information is displayed on the
Organizational Info tab of an entry’s properties. Collective attributes are also
used to define administrative attributes, such as the home server, formsets, and
profiles location for the administrative area.
Unlike access control settings, you cannot modify collective attribute values in
individual directory entries. While collective attributes appear in the entry’s
properties, they are read-only. Collective attributes can only be changed or
deleted from within the collective attribute subentry dialog box itself.
An organization’s shared data is typically defined in the subentry at the
beginning of the naming context, although you can create additional
administrative subentries to configure specific sections of the directory tree.
You can also add your own collective attributes by creating new attributes and

adding them to a subentry’s form.
Slide Objective

Lead-in

18 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Setting Collective Organizational Information
Create or open the Collectives Subentry
Open the Subentry Properties
Type the attribute values


There are three default collective attribute subentries for the default
administrative areas in the metadirectory. If you are defining a new
administrative area, insert a new collective attributes subentry directly beneath
the administration point.
To set collective attributes for an administrative area, perform the following
steps:
1. Select or create the collective subentry for the administrative area.
2. Open the property sheet for the collective attributes administrative subentry.
3. On the Organizational Information and the Homeserver, Formsets and
Profiles tab type the shared data for all entries in the area.

Slide Objective

Lead-in


Module 10: Administering MMS 19

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Best Practices
!
Use the directory administrators list when assigning
permissions to MMS administrators.
!
Only allow directory administrators to view subentries.
!
Grant read and modify permissions to directory
administrators for the entire administrative area.
!
Grant read and modify permissions to the Self user
class for the administrative area.
!
Grant read and modify permissions to the Superior user
class for directory entries.


The following list represents the best practices for securing the metadirectory
data:
!
Only use the Administrator role-related entry as a backdoor to gain access to
otherwise locked out entries.
Since it is possible to lock out specific entries from modifying directory
entry objects, use the directory administrator's list when assigning
permissions to MMS administrators.
!

Create an access control entry on the security subentry and grant read and
modify permissions to the directory administrator's list.
This prevents you from being able to modify the permissions for the
administrative area. The access control setting for the subentry overrides the
settings for the administrative area.
!
Create an access control entry for the security subentry that only grants the
view permission to the directory administrator's list.
This will make this subentry not be displayed in the directory tree for
anyone other than directory administrators.
!
Grant read and modify permissions for administrative subentriesto the Self
user class so that each user has control over their own data.
!
Grant read and modify permissions to the Superior user class for directory
entry objects.
Slide Objective

Lead-in

20 Module 10: Administering MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Lab A: Administering MMS


Lab.doc
Slide Objective
To introduce the lab.

Lead-in
In this lab, you will
Explain the lab objectives.

Module 10: Administering MMS 21

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Review
!
Introduction to Administering Metadirectory Data
!
Overview of Administrative Areas
!
Access Control Settings for Administrative Areas
!
Overriding the Administrative Area Security Policy
!
Collective Attributes
!
Best Practices


1. Users in your organization must have the ability to modify their own
identity data by using MMS Compass. How can you administer the
metadirectory to achieve this goal?
Ensure that all user entries are located in the default Context
administrative area. Configure the access control subentry for the
naming context (Context Security) to grant read and modify permission
to the Self user class for all of the attributes you want the user to

control.


2. Temporary employees in your organization must not be able to modify their
data. How can you administer your metadirectory to achieve this goal?
Create an organizational unit for temporary employees and configure
this entry as an Admin Point. Create an access control subentry for this
administrative area that denies modify permission to the Self user class
for all attributes.

3. Human Resource Department personnel in your organization must be able
to modify the Hire Date attribute for their direct reports. How can you
administer the metadirectory to achieve this goal?
For each administrative area that is controlling, grant read and modify
access control settings for the Hire Date attribute to everyone in the
Human Resources container object. For example, in the Specific field,
type * = *,ou=HR,dc=vancouverdom,dc=Contoso,dc=com.


Slide Objective
To reinforce module
objectives by reviewing key
points.

Lead-in
The review questions cover
some of the key concepts
taught in the module.

22 Module 10: Administering MMS


BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

4. You are the lead MMS administrator for you organization. You have
noticed that other administrators have modified the security policy for
different administrative areas in the metadirectory tree. How can you
configure the access control subentries so that other MMS administrators
are unable to modify the properties of these entries?
The access control subentry is subject to the security policy defined for
its administrative area. You can override whatever permissions are
inherited by the subentry by defining permissions on the subentry itself.
Open the This Subentry’s Permissions dialog box and deny modify
permission to the Directory Administrators List, and grant modify
permission to you.


5. Every user in your organization shares a common office address and office
fax number. Currently, when a new user object is created in the connected
directory, this information is entered every time. How can you administer
the metadirectory to automatically assign these attribute values to every user
in the organization?
For the administrative area, configure the collective attributes for this
organizational information. Configure the necessary management
agents to treat the metaverse namespace as authoritative for these
attributes so that the connected directory is updated with these
attribute values. If a modification needs to be made, it only needs to be
made in one place and all the metaverse namespace entries will be
updated. Then when the management agents run, they will propagate
the change to their associated connected directory.



6. You have inadvertently set the access control settings on an administrative
subentry object to deny modify permission to the Anyone user class. Now
you find that, even when logged on as Administrator, you do not have
permission to modify this entry. How can you administer the metadirectory
to modify the permissions for this subentry?
It is possible to lock out the administrator from modifying specific
directory entries, but denying access to the Anyone user class. If this
happens, stop the MMS Server service, and restart the service by typing
viaserver –nosecurity from the command line.