Module 5 Configuring Active Directory Objects and Trusts.

Module 5

Configuring Active Directory

Objects and Trusts

Module Overview

• Delegate Administrative Access to Active Directory® Objects

• Configure Active Directory Trusts

Include standard permissions and special permissions

Active Directory Object Permissions

• Can be set at object level, or inherited from the parent object

• Can be allowed, implicitly denied, or explicitly denied

• Standard permissions are the most frequently assigned permissions

• Special permissions provide a finer degree of control for assigning access to objects

What Are Effective Permissions?

Effective permissions are the actual permissions that are granted to the specified user or group

• Permissions are cumulative, including permissions assigned to the user account and the group account

• Explicit deny permissions override inherited allow permissions

• Explicit allow permissions override inherited deny permissions

Use the Effective Permissions tool to view effective permissions

• Special identities are not used when using the Effective Permissions tab to view special permissions

• Effective Permissions tool does not take into account share permissions

• Delegated administration:

Eases administration by distributing routine administrative tasks

Provides users or groups more control over local network resources

Eliminates the need for multiple administrative accounts

What Is Delegation of Control?

Domain

OU1

OU2

Admin2Admin2

Admin1Admin1

Admin3Admin3

OU3

Assigns the responsibility of managing Active Directory objects to another user or group

The Delegation of Control Wizard

Use the Delegation of Control Wizard to:

• Automatically assign appropriate permissions to users and groups

• Specify user or group to which you want to delegate control

• Specify OUs and objects that you want to grant the user or group permission to control

• Specify tasks that you want the user or group to be able to perform

Modifying the Delegation of Control Wizard:

• List of common tasks in the wizard is controlled by templates in the delegwiz.inf file

• You can change the list of common tasks by modifying the delegwiz.inf file to include other templates

What Are AD DS Trusts?

Provide a mechanism for users to gain access to resources in another domain

Trust characteristics:

• Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains

• Trust direction – the trust direction defines the account domain and the resource domain

• Authentication protocol – the protocol that you use to establish and maintain the trust

AD DS Trust Options

Forest(root)

Tree/RootTrust

Tree/RootTrust

Forest Trust

Forest Trust

Shortcut TrustShortcut TrustExternal

TrustExternal

Trust

Kerberos Realm

Realm Trust

Realm Trust

Domain D

Forest 1

Domain BDomain ADomain E

Domain F

Forest(root)

Domain P Domain Q

Parent/ChildTrust

Parent/ChildTrust

Forest 2

Domain C

How Trusts Work Within a Forest

Tree One

Tree Two

Domain 1

Tree Root Domain

Forest Root Domain

Domain 2

Domain C

Domain A

Domain B

How Trusts Work Between Forests

WoodgroveBank.com

contoso.com

Forest trust

Global catalog

Global catalog

Seattle

EMEA.WoodgroveBank.com NA.Contoso.com

Vancouver

22 44

66

11

3355

77

88

99

Forest 1

Forest 2

What Are User Principal Names?

• The domain suffix can be the user’s home domain, any other domain in the forest, or a custom domain name

• Additional UPN domain suffixes can be added

• UPNs must be unique in a forest

UPN suffixes can be used for routing authentication requests between trusted forests:

• UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests

• You can manually enable or disable name suffix routing across trusts

• A UPN is a logon name that includes the user logon name and a domain suffix

• A UPN is a logon name that includes the user logon name and a domain suffix

• A UPN is a logon name that includes the user logon name and a domain suffix

What Are the Selective Authentication Settings?

Selective authentication:

• Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer

• Configured on the security descriptor of the computer object located in AD DS

To configure selective authentication:

• Configure the forest or external trust to use selective rather than domain-wide authentication

• Configure the computer accounts for selective authentication