Module 3: Configuring

Active Directory
Objects and Trusts
Module Overview
• Configuring Active Directory Objects

• Strategies for Using Groups

• Automating AD DS Object Management

• Delegating Administrative Access to AD DS Objects

• Configuring AD DS Trusts
Lesson 1: Configuring Active Directory Objects
• Types of AD DS Objects

• Demonstration: Configuring AD DS User Accounts

• AD DS Group Types

• AD DS Group Scopes

• Default AD DS Groups

• AD DS Special Identities

• Discussion: Using Default Groups and Special Identities

• Demonstration: Configuring AD DS Group Accounts

• Demonstration: Configuring Additional AD DS Objects

Types of AD DS Objects
User accounts
• Enables a single sign-on for
a user
• Provides access to resources
InetOrgPerson
• Similar to a user account
• Used for compatibility
with other directory services

Computer accounts Organizational Unit

• Enables authentication and • Used to group similar
auditing of computer access objects for administration
to resources

Group accounts Printers

• Used to simplify the
• Helps simplify administration process of locating and
connecting to printers

Shared folders
• Used to simplify the
process of locating and
connecting to shared folders
Demonstration: Configuring AD DS User Accounts
In this demonstration, you will see how to configure AD DS
user accounts
AD DS Group Types

Distribution groups

Used only with e-mail applications

Not security-enabled

Security groups
Used to assign rights and
permissions to groups of users
and computers
Used most effectively when nested

The functional level determines the type of groups

that you can create
 AD DS Group Scopes

Group scope Can be used to

Group members can include
assign permissions

• Universal groups, global groups, In the same

and other domain local groups domain
from its own domain
Domain Local
• Accounts from any trusted
domain

• Users, groups, and computers In any trusted

Global
from its own domain domain
• Users, groups, In any trusted
Universal and computers as members domain
from any trusted domain

• Users, groups, On the local

Local and computers as members computer
from any trusted domain
Default AD DS Groups

Default groups are designed to manage shared resources

and delegate specific domain-wide administrative roles

Performance monitor
Account operators users
Administrators Pre-Windows 2000
compatible access
Backup operators
Print operators
Incoming forest
trust builders Remote Desktop
users
Network configuration
operators Replicator
Performance log users Server operators
Users
AD DS Special Identities

Designed to provide access to resources without

administrative or user interaction

Interactive
Anonymous logon
Local system
Authenticated users
Network
Batch
Self
Creator group
Service
Creator owner
Terminal Server users
Dialup
Other organization
Everyone
This organization
Discussion: Using Default Groups and
Special Identities
Using the scenario, answer the questions in your workbook
Demonstration: Configuring AD DS
Group Accounts
In this demonstration, you will see how to configure AD DS
group accounts
Demonstration: Configuring Additional
AD DS Objects
In this demonstration, you will see how to configure
additional AD DS objects
Lesson 2: Strategies for Using Groups
• Options for Assigning Access to Resources

• Using Account Groups to Assign Access to Resources

• Using Account Groups and Resource Groups

• Discussion: Using Groups in a Single-Domain or Multiple-

Domain Environment
Options for Assigning Access to Resources

When assigning access to resources:

• Plan for the lowest level of permissions

• Keep the plan as simple as possible
• Document the plan

Options include:

• Adding user accounts to the ACL on the resource

• Adding user accounts to groups, and adding the
groups to the ACL on the resource
• Adding user accounts to account groups, adding
the account groups to resource groups, and
adding the resource groups to the ACL
on the resource
Using Account Groups to Assign Access
to Resources

User Account
Permissions
Accounts Groups
Using Account Groups and Resource Groups

User Account Resource

Permissions
Accounts Groups Groups
Discussion: Using Groups in a Single-Domain or
Multiple-Domain Environment
Using the scenarios, answer the questions in your
workbooks
Lesson 3: Automating AD DS Object Management
• Tools for Automating AD DS Object Management

• Configuring AD DS Objects Using Command-Line Tools

• Managing User Objects with LDIFDE

• Managing User Objects with CSVDE

• What Is Windows PowerShell?

• Windows PowerShell Cmdlets

• Demonstration: Configuring Active Directory Objects Using

Windows PowerShell
Tools for Automating AD DS Object Management

Active Directory Directory Service Tools

Users and Computers

• Dsadd
• Dsmod
• Dsrm

Csvde and Ldifde Tools Windows PowerShell

Configuring AD DS Objects Using
Command Line Tools

Command line tools:

• Dsadd
• Dsmod
• Dsrm
• Dsget
• net user
• Net group
• Net computer
Managing User Objects with LDIFDE

• LDIFDE.exe

import

export
Active Directory
filename.ldf
Managing User Objects with CSVDE

• CSVDE.exe

import

export
filename.csv Active Directory
 What Is Windows PowerShell?

Windows PowerShell is a scripting and command line technology

that you can use to manage AD DS and other
Windows components

Windows PowerShell features include:

• Powerful single • Pipelining

line cmdlets • Scripting support
• Aliases
• Access to all
• Variables cmd.exe commands
 Windows PowerShell Cmdlets
Windows PowerShell cmdlets all use the same syntax

Verb Noun Parameters Example

Get Date Get-Date

Start Service W3SVC Start-Service

W3SVC

• Results from W3svc

Get-Service one cmdlet can be pipelined to another
| format-list

• Get-Service | sort-object name

• Get-Service |where-object {$_.status –eq “running”} |

sort-object name
Demonstration: Configuring Active Directory
Objects Using Windows PowerShell
In this demonstration, you will see how to configure Active
Directory Objects using Windows PowerShell
 Lab A: Configuring Active Directory Objects
• Exercise 1: Configuring AD DS Objects

• Exercise 2: Implementing an AD DS Group Strategy

• Exercise 3: Automating the Management of AD DS Objects

Logon information
Virtual machines 6425A-NYC-DC1,
6425A-NYC-DC2,
6425A-NYC-CL1
User name Administrator
Password Pa$$w0rd

Estimated time: 40 minutes

Lab A Review
• How will the group strategies that you use in your
organization compare with the strategy used in this lab?
• Which of the options for automating AD DS object
management will be most useful in your organization?
Lesson 4: Delegating Administrative Access to
AD DS Objects
• Active Directory Object Permissions

• Demonstration: Active Directory Domain Services Object

Permission Inheritance
• What Are Effective Permissions?

• What Is Delegation of Control?

• Discussion: Scenarios for Delegating Control

• Demonstration: Configuring Delegation of Control

Active Directory Object Permissions
Active Directory permissions:
• Include standard permissions and special permissions:
 Standard permissions are the most frequently
assigned permissions
 Special permissions provide a finer degree of
control for assigning access to objects

• Can be allowed, implicitly denied, or

explicitly denied
• Can be set at the object level, or inherited from the parent
object
Demonstration: Active Directory Domain Services
Object Permission Inheritance
In this demonstration, you will see how permissions are
inherited for AD DS objects
What Are Effective Permissions?

Effective permissions are the actual permissions that are

granted to the specified user or group

• Permissions are cumulative, including permissions

assigned to the user account and the group account
• Explicitly deny permissions override allow permissions
• Explicitly allow permissions override explicit
deny permissions
• Object owners can always change permissions

Object owners can always change permissions

• Special identities are not used when this tool calculates

special permissions
What Is Delegation of Control?

Assigns the responsibility of managing Active Directory

objects to another user or group

• Delegated administration:
 Eases administration by
distributing routine administrative
tasks
 Provides users or groups more
control over local network
resources
OU1 Admin1
 Eliminates the need for multiple
administrative accounts
OU2 OU3

Admin2 Domain Admin3

Discussion: Scenarios for Delegating Control
• What are the benefits of delegating administrative
permissions?
• How would you use delegation of control in your
organization?
Demonstration: Configuring Delegation of Control
In this demonstration, you will see how to configure
delegation of control
Lesson 5: Configuring AD DS Trusts
• What Are AD DS Trusts?

• AD DS Trust Options

• How Trusts Work Within a Forest

• How Trusts Work Between Forests

• Demonstration: Configuring Trusts

• What Are Universal Principal Names?

• What Are the Selective Authentication Settings?

• Demonstration: Configuring Advanced Trust Settings

 What Are AD DS Trusts?
Provide a mechanism for users to gain access to resources
in another domain

Trust characteristics:

• Transitive – the trust relationship extends beyond a two-domain

trust to include other trusted domains
• Trust direction – the trust direction defines the account domain
and the resource domain
• Authentication protocol – the protocol that you use to establish
and maintain the trust
AD DS Trust Options

Forest 1 Forest 2
Tree/Root Forest
Trust Trust
Parent/Child
Trust
Forest
Forest (root)
Domain D (root)

Domain E Domain A Domain B Domain P Domain Q

Shortcut Trust
Realm External
Trust Trust
Domain F Domain C

Kerberos Realm
How Trusts Work Within a Forest

Forest Root
Domain

Tree One
Tree Root
Domain
Domain 1

Domain A

Domain 2

Tree Two

Domain B Domain C
How Trusts Work Between Forests

Forest 1 Forest 2
Forest trust

Global
6 Global
catalog catalog
WoodgroveBank.co contoso.com
m

4
2
5 Seattle
3 7
8
1
Vancouver 9
EMEA.WoodgroveBank.com NA.Contoso.com
Demonstration: Configuring Trusts
In this demonstration, you will see how to configure
shortcut, external, and forest trusts
 What Are User Principal Names?

• A UPN is a logon name that includes the user logon name

and a domain suffix

• The domain suffix can be the user’s home domain,

any other domain in the forest, or a custom domain name

• Additional UPN domain suffixes can be added

• UPNs must be unique in a forest

UPN suffixes can be used for routing authentication requests between trusted
forests:
• UPN suffix routing is automatically disabled if the same
UPN suffix is used in both forests
• You can manually enable or disable name suffix routing
across trusts
What Are the Selective Authentication Settings?

Selective authentication:

• Limits which computers can be accessed by

users from a trusted domain, and which users
in the trusted domain can access the computer
• Configured on the security descriptor of the
computer object located in AD DS

To configure selective authentication:

• Configure the forest or external trust to use

selective rather than domain-wide authentication
• Configure the computer accounts for
selective authentication
Demonstration: Configuring Advanced
Trust Settings
In this demonstration, you will see how to configure
advanced trust settings
 Lab B: Configuring Active Directory Delegation
and Trusts
• Exercise 1: Delegating Control of AD DS Objects

• Exercise 2: Configuring AD DS Trusts

Logon information
Virtual machines 6425A-VAN-DC1,
6425A-NYC-DC2
6425A-NYC-DC1
6425A-NYC-CL1
User name Administrator
Password Pa$$w0rd

Estimated time: 20 minutes

Lab B Review
• After the trusts are configured as described in the lab,
what resources will users in Woodgrove Bank be able to
access in the NorthwindTraders.com domain?
• How would you configure a forest trust with another
organization if the organization does not provide you with
their administrator credentials?
Module Review and Takeaways
• Review questions

• Considerations for configuring Active Directory objects

• Tools