03-Configuring Active Directory Objects and Trusts

Demonstration: Configuring Active Directory Objects Using Windows Powershell. In this demonstration, you will see how to configure Active Directory Objects using Windows Powershell.[r]

Module 3: Configuring

Active Directory Objects and Trusts

Module Overview

• Configuring Active Directory Objects

• Strategies for Using Groups

• Automating AD DS Object Management

• Delegating Administrative Access to AD DS Objects

• Configuring AD DS Trusts

Lesson 1: Configuring Active Directory Objects

• Discussion: Using Default Groups and Special Identities

• Demonstration: Configuring AD DS Group Accounts

• Demonstration: Configuring Additional AD DS Objects

• Enables authentication and

auditing of computer access

to resources

Group accounts

• Helps simplify administration

InetOrgPerson

• Similar to a user account

• Used for compatibility with other directory services

Shared folders

• Used to simplify the process of locating and connecting to shared folders

Demonstration: Configuring AD DS User Accounts

In this demonstration, you will see how to configure AD DS user accounts

Used most effectively when nested

The functional level determines the type of groups that you can create

Global

Universal

Can be used to

assign permissions Group scope

• Universal groups, global groups, and other domain local groups from its own domain

• Accounts from any trusted domain

• Users, groups, and computers as members from any trusted domain

• Users, groups, and computers from its own domain

In any trusted domain

• Users, groups, and computers as members from any trusted domain

On the local computer

Default AD DS Groups

Default groups are designed to manage shared resources and delegate specific domain-wide administrative roles

Account OperatorsAdministrators

Backup OperatorsIncoming Forest Trust BuildersNetwork Configuration Operators

Performance Log Users

Performance Monitor Users

Pre-Windows 2000 Compatible AccessPrint OperatorsRemote Desktop Users

ReplicatorServer OperatorsUsers

AD DS Special Identities

Designed to provide access to resources without

administrative or user interaction

Anonymous Logon Authenticated UsersBatch

Creator GroupCreator OwnerDialup

Everyone

InteractiveLocal SystemNetwork

SelfServiceTerminal Server UsersOther OrganizationThis Organization

Discussion: Using Default Groups and

Special Identities

Using the scenario, answer the questions in your workbook

Demonstration: Configuring AD DS

Group Accounts

In this demonstration, you will see how to configure AD DS group accounts

Demonstration: Configuring Additional

AD DS Objects

In this demonstration, you will see how to configure additional AD DS objects

Lesson 2: Strategies for Using Groups

• Options for Assigning Access to Resources

• Using Account Groups to Assign Access to Resources

• Using Account Groups and Resource Groups

• Discussion: Using Groups in a Single-Domain or Domain Environment

Multiple-Options for Assigning Access to Resources

When assigning access to resources:

• Plan for the lowest level of permissions

• Keep the plan as simple as possible

• Document the plan

Options include:

• Adding user accounts to the ACL on the resource

• Adding user accounts to groups, and adding the groups to the ACL on the resource

• Adding user accounts to account groups, adding the account groups to resource groups, and

adding the resource groups to the ACL

on the resource

Using Account Groups to Assign Access

to Resources

Permissions

Account Groups

Account Groups

User Accounts

User Accounts

Using Account Groups and Resource Groups

Resource Groups

Resource

Account Groups

Account Groups

User Accounts

User Accounts

Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment

Using the scenarios, answer the questions in your

workbooks

Lesson 3: Automating AD DS Object Management

• Tools for Automating AD DS Object Management

• Configuring AD DS Objects Using Command-Line Tools

• Managing User Objects with LDIFDE

• Managing User Objects with CSVDE

• What Is Windows Powershell?

• Windows Powershell Cmdlets

• Demonstration: Configuring Active Directory Objects Using Windows Powershell

Tools for Automating AD DS Object Management

Active Directory Users and Computers Directory Service Tools

Configuring AD DS Objects Using Command-Line Tools

Command line tools:

Managing User Objects with CSVDE

import

export

• CSVDE.exe

What Is Windows Powershell?

Windows Powershell is a scripting and command line technology that you can use to manage Active Directory and other

Windows components

Windows Powershell features include:

•Powerful single line cmdlets

Windows Powershell Cmdlets

Windows Powershell cmdlets all use the same syntax

Noun Verb

• Get-Service | sort-object name

• Get-Service |where-object {$_.status –eq “running”} |

sort-object name

Demonstration: Configuring Active Directory

Objects Using Windows Powershell

In this demonstration, you will see how to configure Active Directory Objects using Windows Powershell

Lab A: Configuring Active Directory Objects

• Exercise 1: Configuring AD DS Objects

• Exercise 2: Implementing an AD DS Group Strategy

• Exercise 3: Automating the Management of AD DS Objects

Lab A Review

• How will the group strategies you use in your organization compare with the strategy used in this lab?

• Which of the options for automating AD DS object

management will be most useful in your organization?

Lesson 4: Delegating Administrative Access to

AD DS Objects

• Active Directory Object Permissions

• Demonstration: Active Directory Domain Services Object Permission Inheritance

• What Are Effective Permissions?

• What Is Delegation of Control?

• Discussion: Scenarios for Delegating Control

• Demonstration: Configuring Delegation of Control

Active Directory Object Permissions

Active Directory permissions:

• Include standard permissions and special

permissions:

 Standard permissions are the most frequently

assigned permissions

 Special permissions provide a finer degree of

control for assigning access to objects

• Can be allowed, implicitly denied, or

explicitly denied

• Can be set at the object level or inherited from the parent object

Demonstration: Active Directory Domain Services Object Permission Inheritance

In this demonstration, you will see how permissions are

inherited for AD DS object

What Are Effective Permissions?

Effective permissions are the actual permissions that are granted to the specified user or group:

• Permissions are cumulative, including permissions

assigned to the user account and the group account

• Explicitly deny permissions override allow permissions

• Explicitly allow permissions override explicit

deny permissions

• Object owners can always change permissions

Object owners can always change permissions

• Special identities are not used when this tool calculates

special permissions

What Is Delegation of Control?

Assigns the responsibility of managing Active Directory

objects to another user or group

• Delegated administration:

 Eases administration by distributing routine administrative tasks

 Provides users or groups more control over local network

resources

 Eliminates the need for multiple administrative accounts

Discussion: Scenarios for Delegating Control

• What are the benefits of delegating administrative permissions?

• How would you use delegation of control in your

organization?

Demonstration: Configuring Delegation of Control

In this demonstration, you will see how to configure

delegation of control

Lesson 5: Configuring AD DS Trusts

• What Are AD DS Trusts?

• AD DS Trust Options

• How Trusts Work Within a Forest

• How Trusts Work Between Forests

• Demonstration: Configuring Trusts

• What Are Universal Principal Names?

• What Are the Selective Authentication Settings?

• Demonstration: Configuring Advanced Trust Settings

What Are AD DS Trusts?

Provide a mechanism for users to gain access to resources

AD DS Trust Options

Forest (root)

Tree/Root Trust

Tree/Root Trust Forest Forest Trust Trust

Shortcut Trust

External Trust

External Trust

Kerberos Realm

Realm Trust

Realm Trust

Domain D

Forest 1

Domain B Domain A

Domain E

Domain F

Forest (root)

How Trusts Work Within a Forest

Tree One

Tree Two

Domain 1

Tree Root Domain

Forest Root Domain

Domain 2

Domain C Domain A

Domain B

How Trusts Work Between Forests

Demonstration: Configuring Trusts

In this demonstration, you will see how to configure shortcut, external, and forest trusts

What Are User Principal Names?

• The domain suffix can be the user’s home domain,

any other domain in the forest, or a custom domain name

• Additional UPN domain suffixes can be added

• UPNs must be unique in a forest

UPN suffixes can be used for routing authentication requests between trusted forests:

• UPN suffix routing is automatically disabled if the same

UPN suffix is used in both forests

• You can manually enable or disable name suffix routing

across trusts

• A UPN is a logon name that includes the user logon name

and a domain suffix

What Are the Selective Authentication Settings?

Selective authentication:

• Limits which computers can be accessed by users from a trusted domain, and which users

in the trusted domain can access the computer

• Configured on the security descriptor of the computer object located in Active Directory

To configure selective authentication:

• Configure the forest or external trust to use selective rather than domain wide authentication

• Configure the computer accounts for selective authentication

Demonstration: Configuring Advanced

Trust Settings

In this demonstration, you will see how to configure advanced trust settings

Lab B: Configuring Active Directory Delegation and Trusts

• Exercise 1: Delegating Control of AD DS Objects

• Exercise 2: Configuring AD DS Trusts

Logon information

Virtual machines

6425A-VAN-DC1, 6425A-NYC-DC2 6425A-NYC-SVR1

User name Administrator

Estimated time: 20 minutes

Lab B Review

• After the trusts are configured as described in the lab,

what resources will users in Woodgrove Bank be able to access in the NorthwindTraders.com domain?

• How would you configure a forest trust with another

organization if the organization does not provide you with their administrator credentials?

Module Review and Takeaways

• Review questions

• Considerations for configuring Active Directory objects

• Tools

Beta Feedback Tool

• Beta feedback tool helps:

 Collect student roster information, module feedback, and course evaluations

 Identify and sort the changes that students request, thereby facilitating a quick team triage

 Save data to a database in SQL Server that you can later query

• Walkthrough of the tool

Beta Feedback

• Overall flow of module:

 Which topics did you think flowed smoothly from topic to

 Were you able to process what the instructor said before

moving on to next topic?

 Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions?

knowledge in your work environment?

 Were there any discussion questions or reflection questions that really made you think? Were there questions you

thought weren’t helpful?