Module 5: Configuring Active Directory Objects and Trusts potx

Lesson 1: Delegate Administrative Access to Active Directory Objects• Active Directory Object Permissions • What Are Effective Permissions?. Include standard permissions and special perm

Module 5

Configuring Active Directory Objects and Trusts

Lesson 1: Delegate Administrative Access to Active Directory Objects

• Active Directory Object Permissions

• What Are Effective Permissions?

• What Is Delegation of Control?

• The Delegation of Control Wizard

• Discussion: Scenarios for Delegating Control

Include standard permissions and special permissions

Active Directory Object Permissions

• Can be set at object level, or inherited from the parent object

• Can be allowed, implicitly denied, or explicitly denied

• Standard permissions are the most frequently

assigned permissions

• Special permissions provide a finer degree of

control for assigning access to objects

Demonstration: Active Directory Domain Services Object Permission Inheritance

In this demonstration, you will see how:

• Permissions are inherited for AD DS Objects

• View effective permissions on an object

What Are Effective Permissions?

Effective permissions are the actual permissions that are granted to the specified user or group

• Permissions are cumulative, including permissions

assigned to the user account and the group account

• Explicit deny permissions override inherited allow permissions

• Explicit allow permissions override inherited deny permissions

Use the Effective Permissions tool to view effective

permissions

• Special identities are not used when using the Effective

Permissions tab to view special permissions

• Effective Permissions tool does not take into account share

permissions

• Delegated administration:

 Eases administration by

distributing routine

administrative tasks

 Provides users or groups

more control over local

Assigns the responsibility of managing Active Directory

objects to another user or group

The Delegation of Control Wizard

Use the Delegation of Control Wizard to:

• Automatically assign appropriate permissions to users and

groups

• Specify user or group to which you want to delegate control

• Specify OUs and objects that you want to grant the user or group permission to control

• Specify tasks that you want the user or group to be able to

perform

Modifying the Delegation of Control Wizard:

• List of common tasks in the wizard is controlled by templates in the delegwiz.inf file

• You can change the list of common tasks by modifying the

delegwiz.inf file to include other templates

Discussion: Scenarios for Delegating Control

• What are the benefits of delegating administrative permissions?

• How would you use delegation of control in your

organization?

Demonstration: Configuring Delegation of Control

In this demonstration, you will see how to:

•Configure delegation with Delegation of Control Wizard

•Configure delegation using a Windows PowerShell script

Lab A: Configuring Active Directory Delegation

• Exercise 1: Delegating Control of AD DS Objects

Logon information

Virtual machines NYC-DC1

Estimated time: 30 minutes

Lab Scenario

Woodgrove Bank has also established a partner relationship with another organization Some users in each organization must be able to access resources in the other organization However, the access between organizations must be limited

to as few users as possible

Lesson 2: Configure Active Directory Trusts

• What Are AD DS Trusts?

• AD DS Trust Options

• How Trusts Work Within a Forest

• How Trusts Work Between Forests

• What Are User Principal Names?

• What Are the Selective Authentication Settings?

What Are AD DS Trusts?

Provide a mechanism for users to gain access to resources

AD DS Trust Options

Forest (root)

Tree/Root Trust

Tree/Root Trust Forest Forest Trust Trust

Shortcut Trust

External Trust

External Trust

Kerberos Realm

Realm Trust

Realm Trust

Domain D

Forest 1

Domain B Domain A

Domain E

Domain F

Forest (root)

How Trusts Work Within a Forest

Tree One

Tree Two

Domain 1

Tree Root Domain

Forest Root Domain

Domain 2

Domain C Domain A

Domain B

How Trusts Work Between Forests

Demonstration: Reviewing Trusts

In this demonstration, you will see how to:

• Review the Active Directory Domains and Trusts MMC

What Are User Principal Names?

• The domain suffix can be the user’s home domain,

any other domain in the forest, or a custom domain name

• Additional UPN domain suffixes can be added

• UPNs must be unique in a forest

UPN suffixes can be used for routing authentication requests between trusted forests:

• UPN suffix routing is automatically disabled if the same

UPN suffix is used in both forests

• You can manually enable or disable name suffix routing

across trusts

• A UPN is a logon name that includes the user logon name

and a domain suffix

• A UPN is a logon name that includes the user logon name

and a domain suffix

• A UPN is a logon name that includes the user logon name

and a domain suffix

What Are the Selective Authentication Settings?

Selective authentication:

• Limits which computers can be accessed by users from a trusted domain, and which users

in the trusted domain can access the computer

• Configured on the security descriptor of the computer object located in AD DS

To configure selective authentication:

• Configure the forest or external trust to use selective

rather than domain-wide authentication

• Configure the computer accounts for selective

authentication

Lab B: Configuring Active Directory Trusts

• Exercise 1: Configuring AD DS Trusts

Lab Scenario

Woodgrove Bank has several requirements for managing

AD DS objects The organization frequently hires interns

who must have limited permissions and whose accounts

must be set to expire automatically when the internship is complete User accounts must also be configured with a

standard configuration The organization also requires AD

DS groups that will be used, to assign permissions to a

variety of network resources The organization would like to automate the user and group management tasks, and

delegate some administrative tasks to junior administrators

Lab Review

• After the trusts are configured as described in the lab,

what resources will users in Woodgrovebank be able to access in the Fabrikam.com domain?

• How would you configure a forest trust with another

organization if the organization does not provide you with their administrator credentials?

Module Review and Takeaways

• Review questions

• Considerations for managing Active Directory objects and trusts