Module 5 Configuring Active Directory Objects and Trusts
Jan 13, 2016
Module 5
Configuring Active Directory
Objects and Trusts
Module Overview
• Delegate Administrative Access to Active Directory® Objects
• Configure Active Directory Trusts
Include standard permissions and special permissions
Active Directory Object Permissions
• Can be set at object level, or inherited from the parent object
• Can be allowed, implicitly denied, or explicitly denied
• Standard permissions are the most frequently assigned permissions
• Special permissions provide a finer degree of control for assigning access to objects
What Are Effective Permissions?
Effective permissions are the actual permissions that are granted to the specified user or group
• Permissions are cumulative, including permissions assigned to the user account and the group account
• Explicit deny permissions override inherited allow permissions
• Explicit allow permissions override inherited deny permissions
Use the Effective Permissions tool to view effective permissions
• Special identities are not used when using the Effective Permissions tab to view special permissions
• Effective Permissions tool does not take into account share permissions
• Delegated administration:
Eases administration by distributing routine administrative tasks
Provides users or groups more control over local network resources
Eliminates the need for multiple administrative accounts
What Is Delegation of Control?
Domain
OU1
OU2
Admin2Admin2
Admin1Admin1
Admin3Admin3
OU3
Assigns the responsibility of managing Active Directory objects to another user or group
The Delegation of Control Wizard
Use the Delegation of Control Wizard to:
• Automatically assign appropriate permissions to users and groups
• Specify user or group to which you want to delegate control
• Specify OUs and objects that you want to grant the user or group permission to control
• Specify tasks that you want the user or group to be able to perform
Modifying the Delegation of Control Wizard:
• List of common tasks in the wizard is controlled by templates in the delegwiz.inf file
• You can change the list of common tasks by modifying the delegwiz.inf file to include other templates
What Are AD DS Trusts?
Provide a mechanism for users to gain access to resources in another domain
Trust characteristics:
• Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains
• Trust direction – the trust direction defines the account domain and the resource domain
• Authentication protocol – the protocol that you use to establish and maintain the trust
AD DS Trust Options
Forest(root)
Tree/RootTrust
Tree/RootTrust
Forest Trust
Forest Trust
Shortcut TrustShortcut TrustExternal
TrustExternal
Trust
Kerberos Realm
Realm Trust
Realm Trust
Domain D
Forest 1
Domain BDomain ADomain E
Domain F
Forest(root)
Domain P Domain Q
Parent/ChildTrust
Parent/ChildTrust
Forest 2
Domain C
How Trusts Work Within a Forest
Tree One
Tree Two
Domain 1
Tree Root Domain
Forest Root Domain
Domain 2
Domain C
Domain A
Domain B
How Trusts Work Between Forests
WoodgroveBank.com
contoso.com
Forest trust
Global catalog
Global catalog
Seattle
EMEA.WoodgroveBank.com NA.Contoso.com
Vancouver
22 44
66
11
3355
77
88
99
Forest 1
Forest 2
What Are User Principal Names?
• The domain suffix can be the user’s home domain, any other domain in the forest, or a custom domain name
• Additional UPN domain suffixes can be added
• UPNs must be unique in a forest
UPN suffixes can be used for routing authentication requests between trusted forests:
• UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests
• You can manually enable or disable name suffix routing across trusts
• A UPN is a logon name that includes the user logon name and a domain suffix
• A UPN is a logon name that includes the user logon name and a domain suffix
• A UPN is a logon name that includes the user logon name and a domain suffix
What Are the Selective Authentication Settings?
Selective authentication:
• Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer
• Configured on the security descriptor of the computer object located in AD DS
To configure selective authentication:
• Configure the forest or external trust to use selective rather than domain-wide authentication
• Configure the computer accounts for selective authentication