module 05_configuring active directory objects and trusts
TRANSCRIPT
Module 5Configuring
Active Directory Objects and Trusts
Module Overview• Delegate Administrative Access to Active Directory®
Objects• Configure Active Directory Trusts
Lesson 1: Delegate Administrative Access to Active Directory Objects• Active Directory Object Permissions • What Are Effective Permissions?• What Is Delegation of Control?• The Delegation of Control Wizard• Discussion: Scenarios for Delegating Control
Include standard permissions and special permissions
Active Directory Object Permissions
• Can be set at object level, or inherited from the parent object
• Can be allowed, implicitly denied, or explicitly denied
• Standard permissions are the most frequently assigned permissions
• Special permissions provide a finer degree of control for assigning access to objects
Demonstration: Active Directory Domain Services Object Permission InheritanceIn this demonstration, you will see how:• Permissions are inherited for AD DS Objects• View effective permissions on an object
What Are Effective Permissions?
Effective permissions are the actual permissions that are granted to the specified user or group
• Permissions are cumulative, including permissions assigned to the user account and the group account
• Explicit deny permissions override inherited allow permissions
Use the Effective Permissions tool to view effective permissions
• Special identities are used when using the Effective Permissions tab to view special permissions
• Effective Permissions tool does not take into account share permissions
• Delegated administration: Eases administration by
distributing routine administrative tasks
Provides users or groups more control over local network resources
Eliminates the need for multiple administrative accounts
What Is Delegation of Control?
Domain
OU1
OU2
Admin2
Admin1
Admin3
OU3
Assigns the responsibility of managing Active Directory objects to another user or group
The Delegation of Control Wizard
Use the Delegation of Control Wizard to:
• Assign appropriate permissions to users and groups• Specify user or group to which you want to delegate control• Specify OUs and objects that you want to grant the user or group
permission to control• Specify tasks that you want the user or group to be able to
perform
Modifying the Delegation of Control Wizard:
• List of common tasks in the wizard is controlled by templates in the delegwiz.inf file
• You can change the list of common tasks by modifying the delegwiz.inf file to include other templates
Discussion: Scenarios for Delegating Control • What are the benefits of delegating administrative
permissions?• How would you use delegation of control in your
organization?
Demonstration: Configuring Delegation of Control In this demonstration, you will see how to:•Configure delegation with Delegation of Control Wizard•Configure delegation using a Windows PowerShell script
Lab A: Configuring Active Directory Delegation• Exercise 1: Delegating Control of AD DS Objects
Logon information
Virtual machines NYC-DC1User name Administrator Password Pa$$w0rd
Estimated time: 30 minutes
Lab ScenarioWoodgrove Bank has also established a partner relationship with another organization. Some users in each organization must be able to access resources in the other organization. However, the access between organizations must be limited to as few users as possible.
Lesson 2: Configure Active Directory Trusts• What Are AD DS Trusts?• AD DS Trust Options • How Trusts Work Within a Forest • How Trusts Work Between Forests• What Are User Principal Names?• What Are the Selective Authentication Settings?
What Are AD DS Trusts?Provide a mechanism for users to gain access to resources in another domain
Trust characteristics:
• Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains
• Trust direction – the trust direction defines the account domain and the resource domain
• Authentication protocol – the protocol that you use to establish and maintain the trust
AD DS Trust Options
Forest(root)
Tree/RootTrust
Forest Trust
Shortcut TrustExternal
Trust
Kerberos Realm
Realm Trust
Domain D
Forest 1
Domain BDomain ADomain E
Domain F
Forest(root)
Domain P Domain Q
Parent/ChildTrust
Forest 2
Domain C
How Trusts Work Within a Forest
Tree One
Tree Two
Domain 1
Tree Root Domain
Forest Root Domain
Domain 2
Domain C
Domain A
Domain B
How Trusts Work Between Forests
WoodgroveBank.com
contoso.com
Forest trust
Global catalog
Global catalog
Seattle
EMEA.WoodgroveBank.com NA.Contoso.com
Vancouver
2 4
6
13
57
8
9
Forest 1
Forest 2
Demonstration: Reviewing Trusts In this demonstration, you will see how to:• Review the Active Directory Domains and Trusts MMC
What Are User Principal Names?
• The domain suffix can be the user’s home domain, any other domain in the forest, or a custom domain name
• Additional UPN domain suffixes can be added
• UPNs must be unique in a forest
UPN suffixes can be used for routing authentication requests between trusted forests:
• UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests
• You can manually enable or disable name suffix routing across trusts
• A UPN is a logon name that includes the user logon name and a domain suffix
• A UPN is a logon name that includes the user logon name and a domain suffix
• A UPN is a logon name that includes the user logon name and a domain suffix
What Are the Selective Authentication Settings?
Selective authentication:
• Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer
• Configured on the security descriptor of the computer object located in AD DS
To configure selective authentication:
• Configure the forest or external trust to use selective rather than domain-wide authentication
• Configure the computer accounts for selective authentication
Lab B: Configuring Active Directory Trusts • Exercise 1: Configuring AD DS Trusts
Logon information
Virtual machines NYC-DC1, NYC-DC2, NYC-CL1, VAN-DC1
User name Administrator Password Pa$$w0rd
Estimated time: 30 minutes
Lab ScenarioWoodgrove Bank has several requirements for managing AD DS objects. The organization frequently hires interns who must have limited permissions and whose accounts must be set to expire automatically when the internship is complete. User accounts must also be configured with a standard configuration. The organization also requires AD DS groups that will be used, to assign permissions to a variety of network resources. The organization would like to automate the user and group management tasks, and delegate some administrative tasks to junior administrators.
Lab Review• After the trusts are configured as described in the lab,
what resources will users in Woodgrovebank be able to access in the Fabrikam.com domain?
• How would you configure a forest trust with another organization if the organization does not provide you with their administrator credentials?
Module Review and Takeaways• Review questions• Considerations for managing Active Directory objects and
trusts