Module 5

Configuring
Active Directory
Objects and Trusts
Module Overview
Delegate Administrative Access to Active Directory
Objects
Configure Active Directory Trusts
Lesson 1: Delegate Administrative Access to
Active Directory Objects
Active Directory Object Permissions
What Are Effective Permissions?
What Is Delegation of Control?
The Delegation of Control Wizard
Discussion: Scenarios for Delegating Control
Include standard permissions and special permissions
Active Directory Object Permissions
Can be set at object level, or inherited from the parent
object
Can be allowed, implicitly denied, or explicitly denied
Standard permissions are the most frequently
assigned permissions
Special permissions provide a finer degree of
control for assigning access to objects
Demonstration: Active Directory Domain Services
Object Permission Inheritance
In this demonstration, you will see how:
Permissions are inherited for AD DS Objects
View effective permissions on an object
What Are Effective Permissions?
Effective permissions are the actual permissions that are
granted to the specified user or group
Permissions are cumulative, including permissions
assigned to the user account and the group account
Explicit deny permissions override inherited allow permissions
Use the Effective Permissions tool to view effective
permissions
Special identities are used when using the Effective
Permissions tab to view special permissions
Effective Permissions tool does not take into account share
permissions
Delegated administration:
Eases administration by
distributing routine
administrative tasks
Provides users or groups
more control over local
network resources
Eliminates the need for
multiple administrative
accounts
What Is Delegation of Control?
Domain
OU1
OU2
Admin2
Admin1
Admin3
OU3
Assigns the responsibility of managing Active Directory
objects to another user or group
The Delegation of Control Wizard
Use the Delegation of Control Wizard to:
Assign appropriate permissions to users and groups
Specify user or group to which you want to delegate control
Specify OUs and objects that you want to grant the user or group
permission to control
Specify tasks that you want the user or group to be able to
perform
Modifying the Delegation of Control Wizard:
List of common tasks in the wizard is controlled by templates in
the delegwiz.inf file
You can change the list of common tasks by modifying the
delegwiz.inf file to include other templates
Discussion: Scenarios for Delegating Control
What are the benefits of delegating administrative
permissions?
How would you use delegation of control in your
organization?
Demonstration: Configuring Delegation of Control
In this demonstration, you will see how to:
Configure delegation with Delegation of Control Wizard
Configure delegation using a Windows PowerShell script
Lab A: Configuring Active Directory Delegation
Exercise 1: Delegating Control of AD DS Objects
Logon information
Virtual machines NYC-DC1
User name Administrator
Password
Pa$$w0rd
Estimated time: 30 minutes
Lab Scenario
Woodgrove Bank has also established a partner relationship
with another organization. Some users in each organization
must be able to access resources in the other organization.
However, the access between organizations must be limited
to as few users as possible.
Lesson 2: Configure Active Directory Trusts
What Are AD DS Trusts?
AD DS Trust Options
How Trusts Work Within a Forest
How Trusts Work Between Forests
What Are User Principal Names?
What Are the Selective Authentication Settings?
What Are AD DS Trusts?
Provide a mechanism for users to gain access to resources
in another domain
Trust characteristics:
Transitive the trust relationship extends beyond a two-domain
trust to include other trusted domains
Trust direction the trust direction defines the account domain
and the resource domain
Authentication protocol the protocol that you use to establish
and maintain the trust
AD DS Trust Options
Tree/Root
Trust
Forest
Trust
Shortcut Trust
External
Trust
Realm
Trust
Parent/Child
Trust
How Trusts Work Within a Forest
Tree One
Tree Two
Domain 1
Tree Root
Domain
Forest Root
Domain
Domain 2
Domain C
Domain A
Domain B
How Trusts Work Between Forests
WoodgroveBank.
com
contoso.com
Forest trust
Global
catalog
Global
catalog
Seattle
EMEA.WoodgroveBank.com NA.Contoso.com
Vancouver
2
4
6
1
3
5
7
8
9
Demonstration: Reviewing Trusts
In this demonstration, you will see how to:
Review the Active Directory Domains and Trusts MMC
What Are User Principal Names?

The domain suffix can be the users home domain,
any other domain in the forest, or a custom domain name
Additional UPN domain suffixes can be added
UPNs must be unique in a forest
UPN suffixes can be used for routing authentication requests between
trusted forests:
UPN suffix routing is automatically disabled if the same
UPN suffix is used in both forests
You can manually enable or disable name suffix routing
across trusts
A UPN is a logon name that includes the user logon name
and a domain suffix
A UPN is a logon name that includes the user logon name
and a domain suffix
A UPN is a logon name that includes the user logon name
and a domain suffix
What Are the Selective Authentication Settings?
Selective authentication:
Limits which computers can be accessed by users from a
trusted domain, and which users
in the trusted domain can access the computer
Configured on the security descriptor of the computer
object located in AD DS
To configure selective authentication:
Configure the forest or external trust to use selective
rather than domain-wide authentication
Configure the computer accounts for selective
authentication
Lab B: Configuring Active Directory Trusts
Exercise 1: Configuring AD DS Trusts
Logon information
Virtual machines
NYC-DC1, NYC-DC2,
NYC-CL1, VAN-DC1
User name Administrator
Password
Pa$$w0rd
Estimated time: 30 minutes
Lab Scenario
Woodgrove Bank has several requirements for managing AD
DS objects. The organization frequently hires interns who
must have limited permissions and whose accounts must be
set to expire automatically when the internship is complete.
User accounts must also be configured with a standard
configuration. The organization also requires AD DS groups
that will be used, to assign permissions to a variety of
network resources. The organization would like to automate
the user and group management tasks, and delegate some
administrative tasks to junior administrators.
Lab Review
After the trusts are configured as described in the lab,
what resources will users in Woodgrovebank be able to
access in the Fabrikam.com domain?
How would you configure a forest trust with another
organization if the organization does not provide you with
their administrator credentials?
Module Review and Takeaways
Review questions
Considerations for managing Active Directory objects and
trusts