Module 3: Configuring Active Directory Objects

and Trusts

22

Module Overview

• Configuring Active Directory Objects

• Strategies for Using Groups

• Automating AD DS Object Management

• Delegating Administrative Access to AD DS Objects

• Configuring AD DS Trusts

33

Lesson 1: Configuring Active Directory Objects

• Types of AD DS Objects

• Demonstration: Configuring AD DS User Accounts

• AD DS Group Types

• AD DS Group Scopes

• Default AD DS Groups

• AD DS Special Identities

• Discussion: Using Default Groups and Special Identities

• Demonstration: Configuring AD DS Group Accounts

• Demonstration: Configuring Additional AD DS Objects

44

Types of AD DS Objects

User accounts

• Enables a single sign-on for a user• Provides access to resources

Computer accounts

• Enables authentication and auditing of computer access to resources

Group accounts

• Helps simplify administration

InetOrgPerson• Similar to a user account• Used for compatibility with other directory services

Organizational Unit

• Used to group similar objects for administration

Printers• Used to simplify the process of locating and connecting to printers

Shared folders

• Used to simplify the process of locating and connecting to shared folders

55

Demonstration: Configuring AD DS User Accounts

In this demonstration, you will see how to configure AD DS user accounts

66

AD DS Group Types

Distribution groups

Used only with e-mail applications

Not security-enabled

Security groups

Used to assign rights and permissions to groups of users and computers

Used most effectively when nested

The functional level determines the type of groups that you can create

Local

AD DS Group Scopes

Group members can include

In the same domain

Domain Local

In any trusted domain Global

Universal

Can be used to assign

permissions Group scope

• Universal groups, global groups, and other domain local groups from its own domain

• Accounts from any trusted domain

• Users, groups,and computers as members from any trusted domain

• Users, groups, and computers from its own domain

In any trusted domain

• Users, groups,and computers as members from any trusted domain

On the local computer

88

Default AD DS Groups

Default groups are designed to manage shared resources and delegate specific domain-wide administrative roles

Account Operators

Administrators

Backup Operators

Incoming Forest Trust Builders

Network Configuration Operators

Performance Log Users

Performance Monitor Users

Pre-Windows 2000 Compatible Access

Print Operators

Remote Desktop Users

Replicator

Server Operators

Users

99

AD DS Special Identities

Designed to provide access to resources without administrative or user interaction

Anonymous Logon

Authenticated Users

Batch

Creator Group

Creator Owner

Dialup

Everyone

Interactive

Local System

Network

Self

Service

Terminal Server Users

Other Organization

This Organization

1010

Discussion: Using Default Groups and Special Identities

Using the scenario, answer the questions in your workbook

1111

Demonstration: Configuring AD DS Group Accounts

In this demonstration, you will see how to configure AD DS group accounts

1212

Demonstration: Configuring Additional AD DS Objects

In this demonstration, you will see how to configure additional AD DS objects

1313

Lesson 2: Strategies for Using Groups

• Options for Assigning Access to Resources

• Using Account Groups to Assign Access to Resources

• Using Account Groups and Resource Groups

• Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment

1414

Options for Assigning Access to Resources

When assigning access to resources:

• Plan for the lowest level of permissions

• Keep the plan as simple as possible

• Document the plan

Options include:

• Adding user accounts to the ACL on the resource

• Adding user accounts to groups, and adding the groups to the ACL on the resource

• Adding user accounts to account groups, adding the account groups to resource groups, and adding the resource groups to the ACL on the resource

1515

Using Account Groups to Assign Access to Resources

PermissionsPermissionsAccount GroupsAccount Groups

User Accounts

User Accounts

1616

Using Account Groups and Resource Groups

Resource Groups

Resource Groups PermissionsPermissionsAccount

GroupsAccount Groups

User Accounts

User Accounts

1717

Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment

Using the scenarios, answer the questions in your workbooks

1818

Lesson 3: Automating AD DS Object Management

• Tools for Automating AD DS Object Management

• Configuring AD DS Objects Using Command-Line Tools

• Managing User Objects with LDIFDE

• Managing User Objects with CSVDE

• What Is Windows Powershell?

• Windows Powershell Cmdlets

• Demonstration: Configuring Active Directory Objects Using Windows Powershell

1919

Tools for Automating AD DS Object Management

Active Directory Users and Computers

Directory Service Tools

• Dsadd

• Dsmod

• Dsrm

Csvde and Ldifde Tools Windows Powershell

2020

Configuring AD DS Objects Using Command-Line Tools

Command line tools:

2121

filename.ldf

Managing User Objects with LDIFDE

Active Directory

import

export

• LDIFDE.exe

2222

Managing User Objects with CSVDE

filename.csv Active Directory

import

export

• CSVDE.exe

2323

What Is Windows Powershell?

Windows Powershell is a scripting and command line technology that you can use to manage Active Directory and other Windows components

Windows Powershell features include:

• Powerful single line cmdlets

• Aliases

• Variables

• Pipelining

• Scripting support

• Access to all cmd.exe commands

2424

Windows Powershell Cmdlets

Windows Powershell cmdlets all use the same syntax

Noun Verb Date

Parameters Example

Get Get-Date

Start Service W3SVC Start-Service W3SVC

Results from one cmdlet can be pipelined to another

• Get-Service W3svc | format-list

• Get-Service | sort-object name

• Get-Service |where-object {$_.status –eq “running”} | sort-object name

2525

Demonstration: Configuring Active Directory Objects Using Windows Powershell

In this demonstration, you will see how to configure Active Directory Objects using Windows Powershell

2626

Lab A: Configuring Active Directory Objects

• Exercise 1: Configuring AD DS Objects

• Exercise 2: Implementing an AD DS Group Strategy

• Exercise 3: Automating the Management of AD DS Objects

Logon information

Virtual machines6425A-NYC-DC1, 6425A-NYC-DC2,6425A-NYC-CL1

User name Administrator

Password Pa$$w0rd

Estimated time: 40 minutes

2727

Lab A Review

• How will the group strategies you use in your organization compare with the strategy used in this lab?

• Which of the options for automating AD DS object management will be most useful in your organization?

2828

Lesson 4: Delegating Administrative Access to AD DS Objects

• Active Directory Object Permissions

• Demonstration: Active Directory Domain Services Object Permission Inheritance

• What Are Effective Permissions?

• What Is Delegation of Control?

• Discussion: Scenarios for Delegating Control

• Demonstration: Configuring Delegation of Control

2929

Active Directory Object Permissions

Active Directory permissions:

• Include standard permissions and special permissions:

Standard permissions are the most frequently assigned permissions

Special permissions provide a finer degree of control for assigning access to objects

•Can be allowed, implicitly denied, or explicitly denied

•Can be set at the object level or inherited from the parent object

3030

Demonstration: Active Directory Domain Services Object Permission Inheritance

In this demonstration, you will see how permissions are inherited for AD DS object

3131

What Are Effective Permissions?

Effective permissions are the actual permissions that are granted to the specified user or group:

• Permissions are cumulative, including permissions assigned to the user account and the group account

• Explicitly deny permissions override allow permissions

• Explicitly allow permissions override explicit deny permissions

• Object owners can always change permissions

Object owners can always change permissions

• Special identities are not used when this tool calculates special permissions

3232

What Is Delegation of Control?

Domain

OU1

OU2

Admin2Admin2

Admin1Admin1

Admin3Admin3

OU3

Assigns the responsibility of managing Active Directory objects to another user or group

• Delegated administration:

Eases administration by distributing routine administrative tasks

Provides users or groups more control over local network resources

Eliminates the need for multiple administrative accounts

3333

Discussion: Scenarios for Delegating Control

• What are the benefits of delegating administrative permissions?

• How would you use delegation of control in your organization?

3434

Demonstration: Configuring Delegation of Control

In this demonstration, you will see how to configure delegation of control

3535

Lesson 5: Configuring AD DS Trusts

• What Are AD DS Trusts?

• AD DS Trust Options

• How Trusts Work Within a Forest

• How Trusts Work Between Forests

• Demonstration: Configuring Trusts

• What Are Universal Principal Names?

• What Are the Selective Authentication Settings?

• Demonstration: Configuring Advanced Trust Settings

3636

What Are AD DS Trusts?

Provide a mechanism for users to gain access to resources in another domain

Trust characteristics:

• Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains

• Trust direction – the trust direction defines the account domain and the resource domain

• Authentication protocol – the protocol that you use to establish and maintain the trust

3737

AD DS Trust Options

Forest(root)

Tree/RootTrust

Tree/RootTrust

Forest Trust

Forest Trust

Shortcut TrustShortcut TrustExternal

TrustExternal

Trust

Kerberos Realm

Realm Trust

Realm Trust

Domain D

Forest 1

Domain BDomain ADomain E

Domain F

Forest(root)

Domain P Domain Q

Parent/ChildTrust

Parent/ChildTrust

Forest 2

Domain C

3838

How Trusts Work Within a Forest

Tree One

Tree Two

Domain 1

Tree Root Domain

Forest Root Domain

Domain 2

Domain C

Domain A

Domain B

3939

How Trusts Work Between Forests

WoodgroveBank.com

contoso.com

Forest trust

Global catalog

Global catalog

Seattle

EMEA.WoodgroveBank.com NA.Contoso.com

Vancouver

22 44

66

11

3355

77

88

99

Forest 1

Forest 2

4040

Demonstration: Configuring Trusts

In this demonstration, you will see how to configure shortcut, external, and forest trusts

4141

What Are User Principal Names?

• The domain suffix can be the user’s home domain, any other domain in the forest, or a custom domain name

• Additional UPN domain suffixes can be added

• UPNs must be unique in a forest

UPN suffixes can be used for routing authentication requests between trusted forests:

• UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests

• You can manually enable or disable name suffix routing across trusts

• A UPN is a logon name that includes the user logon name and a domain suffix

What Are the Selective Authentication Settings?

Selective authentication:

• Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer

• Configured on the security descriptor of the computer object located in Active Directory

To configure selective authentication:

• Configure the forest or external trust to use selective rather than domain wide authentication

• Configure the computer accounts for selective authentication

4343

Demonstration: Configuring Advanced Trust Settings

In this demonstration, you will see how to configure advanced trust settings

4444

Lab B: Configuring Active Directory Delegation and Trusts

• Exercise 1: Delegating Control of AD DS Objects

• Exercise 2: Configuring AD DS Trusts

Logon information

Virtual machines

6425A-VAN-DC1,

6425A-NYC-DC2

6425A-NYC-SVR1

User name Administrator

Password Pa$$w0rdEstimated time: 20 minutes

4545

Lab B Review

• After the trusts are configured as described in the lab, what resources will users in Woodgrove Bank be able to access in the NorthwindTraders.com domain?

• How would you configure a forest trust with another organization if the organization does not provide you with their administrator credentials?

4646

Module Review and Takeaways

• Review questions

• Considerations for configuring Active Directory objects

• Tools

4747

Beta Feedback Tool

• Beta feedback tool helps: Collect student roster information, module feedback, and

course evaluations. Identify and sort the changes that students request, thereby

facilitating a quick team triage. Save data to a database in SQL Server that you can later

query.

• Walkthrough of the tool

4848

Beta Feedback

• Overall flow of module: Which topics did you think flowed smoothly from topic to

topic? Was something taught out of order?

• Pacing: Were you able to keep up? Are there any places where the

pace felt too slow? Were you able to process what the instructor said before

moving on to next topic? Did you have ample time to reflect on what you learned? Did

you have time to formulate and ask questions?• Learner activities:

Which demos helped you learn the most? Why do you think that is?

Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?

Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?