Module 5
Configuring
Active Directory
Objects and Trusts
Module Overview
•
Delegate Administrative Access to Active Directory®
Objects
•
Configure Active Directory Trusts
Lesson 1: Delegate Administrative Access to
Active Directory Objects
•
Active Directory Object Permissions
•
What Are Effective Permissions?
•
What Is Delegation of Control?
•
The Delegation of Control Wizard
•
Discussion: Scenarios for Delegating Control
Include standard permissions and special permissions
Active Directory Object Permissions
• Can be set at object level, or inherited from the parent
object
•
Can be allowed, implicitly denied, or explicitly denied
•
Standard permissions are the most frequently
assigned permissions

•
Special permissions provide a finer degree of
control for assigning access to objects
Demonstration: Active Directory Domain Services
Object Permission Inheritance
In this demonstration, you will see how:
•
Permissions are inherited for AD DS Objects
•
View effective permissions on an object
What Are Effective Permissions?
Effective permissions are the actual permissions that are
granted to the specified user or group
•
Permissions are cumulative, including permissions
assigned to the user account and the group account
•
Explicit deny permissions override inherited allow permissions
•
Explicit allow permissions override inherited deny permissions
Use the Effective Permissions tool to view effective
permissions
•
Special identities are not used when using the Effective
Permissions tab to view special permissions
• Effective Permissions tool does not take into account share
permissions
•
Delegated administration:


Eases administration by
distributing routine
administrative tasks

Provides users or groups
more control over local
network resources

Eliminates the need for
multiple administrative
accounts
What Is Delegation of Control?
Domain
OU1
OU2
Admin2
Admin2
Admin1
Admin1
Admin3
Admin3
OU3
Assigns the responsibility of managing Active Directory
objects to another user or group
The Delegation of Control Wizard
Use the Delegation of Control Wizard to:
•
Automatically assign appropriate permissions to users and
groups
•

Specify user or group to which you want to delegate control
•
Specify OUs and objects that you want to grant the user or group
permission to control
•
Specify tasks that you want the user or group to be able to
perform
Modifying the Delegation of Control Wizard:
•
List of common tasks in the wizard is controlled by templates in
the delegwiz.inf file
•
You can change the list of common tasks by modifying the
delegwiz.inf file to include other templates
Discussion: Scenarios for Delegating Control
•
What are the benefits of delegating administrative
permissions?
•
How would you use delegation of control in your
organization?
Demonstration: Configuring Delegation of Control
In this demonstration, you will see how to:
•
Configure delegation with Delegation of Control Wizard
•
Configure delegation using a Windows PowerShell script
Lab A: Configuring Active Directory Delegation
•
Exercise 1: Delegating Control of AD DS Objects

Logon information
Virtual machines NYC-DC1
User name Administrator
Password Pa$$w0rd
Estimated time: 30 minutes
Lab Scenario
Woodgrove Bank has also established a partner relationship
with another organization. Some users in each organization
must be able to access resources in the other organization.
However, the access between organizations must be limited
to as few users as possible.
Lesson 2: Configure Active Directory Trusts
•
What Are AD DS Trusts?
•
AD DS Trust Options
•
How Trusts Work Within a Forest
•
How Trusts Work Between Forests
•
What Are User Principal Names?
•
What Are the Selective Authentication Settings?
What Are AD DS Trusts?
Provide a mechanism for users to gain access to resources
in another domain
Trust characteristics:
•
Transitive – the trust relationship extends beyond a two-domain

trust to include other trusted domains
•
Trust direction – the trust direction defines the account domain
and the resource domain
•
Authentication protocol – the protocol that you use to establish
and maintain the trust
AD DS Trust Options
Forest
(root)
Tree/Root
Trust
Tree/Root
Trust
Forest
Trust
Forest
Trust
Shortcut Trust
Shortcut Trust
External
Trust
External
Trust
Kerberos Realm
Realm
Trust
Realm
Trust
Domain D

Forest 1
Domain B
Domain A
Domain E
Domain F
Forest
(root)
Domain P
Domain Q
Parent/Child
Trust
Parent/Child
Trust
Forest 2
Domain C
How Trusts Work Within a Forest
Tree One
Tree Two
Domain 1
Tree Root
Domain
Forest Root
Domain
Domain 2
Domain C
Domain A
Domain B
How Trusts Work Between Forests
WoodgroveBank.
com

contoso.com
Forest trust
Global
catalog
Global
catalog
Seattle
EMEA.WoodgroveBank.com
NA.Contoso.com
Vancouver
2
2
4
4
6
6
1
1
3
3
5
5
7
7
8
8
9
9
Forest 1
Forest 2

Demonstration: Reviewing Trusts
In this demonstration, you will see how to:
•
Review the Active Directory Domains and Trusts MMC
What Are User Principal Names?
•
The domain suffix can be the user’s home domain,
any other domain in the forest, or a custom domain name
•
Additional UPN domain suffixes can be added
•
UPNs must be unique in a forest
UPN suffixes can be used for routing authentication requests between
trusted forests:
•
UPN suffix routing is automatically disabled if the same
UPN suffix is used in both forests
•
You can manually enable or disable name suffix routing
across trusts
•
A UPN is a logon name that includes the user logon name
and a domain suffix
•
A UPN is a logon name that includes the user logon name
and a domain suffix
•
A UPN is a logon name that includes the user logon name
and a domain suffix
What Are the Selective Authentication Settings?

Selective authentication:
•
Limits which computers can be accessed by users from a
trusted domain, and which users
in the trusted domain can access the computer
•
Configured on the security descriptor of the computer
object located in AD DS
To configure selective authentication:
• Configure the forest or external trust to use selective
rather than domain-wide authentication
•
Configure the computer accounts for selective
authentication
Lab B: Configuring Active Directory Trusts
•
Exercise 1: Configuring AD DS Trusts
Logon information
Virtual machines
NYC-DC1, NYC-DC2,
NYC-CL1, VAN-DC1
User name Administrator
Password Pa$$w0rd
Estimated time: 30 minutes
Lab Scenario
Woodgrove Bank has several requirements for managing
AD DS objects. The organization frequently hires interns
who must have limited permissions and whose accounts
must be set to expire automatically when the internship is
complete. User accounts must also be configured with a

standard configuration. The organization also requires AD
DS groups that will be used, to assign permissions to a
variety of network resources. The organization would like to
automate the user and group management tasks, and
delegate some administrative tasks to junior administrators.
Lab Review
•
After the trusts are configured as described in the lab,
what resources will users in Woodgrovebank be able to
access in the Fabrikam.com domain?
•
How would you configure a forest trust with another
organization if the organization does not provide you with
their administrator credentials?
Module Review and Takeaways
•
Review questions
•
Considerations for managing Active Directory objects and
trusts