Module 4: Managing Security
Download
Report
Transcript Module 4: Managing Security
Module 3: Configuring
Active Directory Objects
and Trusts
Module Overview
• Configuring Active Directory Objects
• Strategies for Using Groups
• Automating AD DS Object Management
• Delegating Administrative Access to AD DS Objects
• Configuring AD DS Trusts
Lesson 1: Configuring Active Directory Objects
• Types of AD DS Objects
• Demonstration: Configuring AD DS User Accounts
• AD DS Group Types
• AD DS Group Scopes
• Default AD DS Groups
• AD DS Special Identities
• Discussion: Using Default Groups and Special Identities
• Demonstration: Configuring AD DS Group Accounts
• Demonstration: Configuring Additional AD DS Objects
Types of AD DS Objects
InetOrgPerson
User accounts
• Enables a single sign-on for
a user
• Provides access to resources
• Similar to a user account
• Used for compatibility
with other directory services
Organizational Unit
Computer accounts
• Enables authentication and
auditing of computer access
to resources
• Used to group similar
objects for administration
Printers
Group accounts
• Helps simplify administration
• Used to simplify the
process of locating and
connecting to printers
Shared folders
• Used to simplify the
process of locating and
connecting to shared folders
Demonstration: Configuring AD DS User Accounts
In this demonstration, you will see how to configure AD DS
user accounts
AD DS Group Types
Distribution groups
Used only with e-mail applications
Not security-enabled
Security groups
Used to assign rights and
permissions to groups of users
and computers
Used most effectively when nested
The functional level determines the type of groups that
you can create
AD DS Group Scopes
Group scope
Domain Local
Global
Universal
Local
Group members can include
Can be used to
assign
permissions
• Universal groups, global groups,
In the same
domain
• Users, groups, and computers
In any trusted
domain
• Users, groups,
In any trusted
domain
• Users, groups,
On the local
computer
and other domain local groups
from its own domain
• Accounts from any trusted
domain
from its own domain
and computers as members
from any trusted domain
and computers as members
from any trusted domain
Default AD DS Groups
Default groups are designed to manage shared resources
and delegate specific domain-wide administrative roles
Account Operators
Administrators
Backup Operators
Incoming Forest
Trust Builders
Network Configuration
Operators
Performance Log Users
Performance Monitor
Users
Pre-Windows 2000
Compatible Access
Print Operators
Remote Desktop
Users
Replicator
Server Operators
Users
AD DS Special Identities
Designed to provide access to resources without
administrative or user interaction
Anonymous Logon
Authenticated Users
Batch
Creator Group
Creator Owner
Dialup
Everyone
Interactive
Local System
Network
Self
Service
Terminal Server Users
Other Organization
This Organization
Discussion: Using Default Groups and
Special Identities
Using the scenario, answer the questions in your workbook
Demonstration: Configuring AD DS
Group Accounts
In this demonstration, you will see how to configure AD DS
group accounts
Demonstration: Configuring Additional
AD DS Objects
In this demonstration, you will see how to configure
additional AD DS objects
Lesson 2: Strategies for Using Groups
• Options for Assigning Access to Resources
• Using Account Groups to Assign Access to Resources
• Using Account Groups and Resource Groups
• Discussion: Using Groups in a Single-Domain or Multiple-
Domain Environment
Options for Assigning Access to Resources
When assigning access to resources:
• Plan for the lowest level of permissions
• Keep the plan as simple as possible
• Document the plan
Options include:
• Adding user accounts to the ACL on the resource
• Adding user accounts to groups, and adding the
groups to the ACL on the resource
• Adding user accounts to account groups, adding
the account groups to resource groups, and
adding the resource groups to the ACL
on the resource
Using Account Groups to Assign Access
to Resources
User
Accounts
Account
Groups
Permissions
Using Account Groups and Resource Groups
User
Accounts
Account
Groups
Resource
Groups
Permissions
Discussion: Using Groups in a Single-Domain or
Multiple-Domain Environment
Using the scenarios, answer the questions in your
workbooks
Lesson 3: Automating AD DS Object Management
• Tools for Automating AD DS Object Management
• Configuring AD DS Objects Using Command-Line Tools
• Managing User Objects with LDIFDE
• Managing User Objects with CSVDE
• What Is Windows Powershell?
• Windows Powershell Cmdlets
• Demonstration: Configuring Active Directory Objects Using
Windows Powershell
Tools for Automating AD DS Object Management
Active Directory
Users and Computers
Directory Service Tools
• Dsadd
• Dsmod
• Dsrm
Csvde and Ldifde Tools
Windows Powershell
Configuring AD DS Objects Using
Command-Line Tools
Command line tools:
• Dsadd
• Dsmod
• Dsrm
• Dsget
• net user
• Net group
• Net computer
Managing User Objects with LDIFDE
• LDIFDE.exe
import
export
filename.ldf
Active Directory
Managing User Objects with CSVDE
• CSVDE.exe
import
filename.csv
export
Active Directory
What Is Windows Powershell?
Windows Powershell is a scripting and command line technology
that you can use to manage Active Directory and other
Windows components
Windows Powershell features include:
• Powerful single
line cmdlets
• Pipelining
• Aliases
• Access to all
cmd.exe commands
• Variables
• Scripting support
Windows Powershell Cmdlets
Windows Powershell cmdlets all use the same syntax
Verb
Noun
Get
Date
Start
Service
Parameters Example
Get-Date
W3SVC
Start-Service
W3SVC
Results from one cmdlet can be pipelined to another
• Get-Service W3svc | format-list
• Get-Service | sort-object name
• Get-Service |where-object {$_.status –eq “running”} |
sort-object name
Demonstration: Configuring Active Directory
Objects Using Windows Powershell
In this demonstration, you will see how to configure Active
Directory Objects using Windows Powershell
Lab A: Configuring Active Directory Objects
• Exercise 1: Configuring AD DS Objects
• Exercise 2: Implementing an AD DS Group Strategy
• Exercise 3: Automating the Management of AD DS Objects
Logon information
Virtual machines
6425A-NYC-DC1,
6425A-NYC-DC2,
6425A-NYC-CL1
User name
Administrator
Password
Pa$$w0rd
Estimated time: 40 minutes
Lab A Review
• How will the group strategies you use in your organization
compare with the strategy used in this lab?
• Which of the options for automating AD DS object
management will be most useful in your organization?
Lesson 4: Delegating Administrative Access to
AD DS Objects
• Active Directory Object Permissions
• Demonstration: Active Directory Domain Services Object
Permission Inheritance
• What Are Effective Permissions?
• What Is Delegation of Control?
• Discussion: Scenarios for Delegating Control
• Demonstration: Configuring Delegation of Control
Active Directory Object Permissions
Active Directory permissions:
• Include standard permissions and special
permissions:
Standard permissions are the most frequently
assigned permissions
Special permissions provide a finer degree of
control for assigning access to objects
• Can be allowed, implicitly denied, or
explicitly denied
• Can be set at the object level or inherited from the
parent object
Demonstration: Active Directory Domain Services
Object Permission Inheritance
In this demonstration, you will see how permissions are
inherited for AD DS object
What Are Effective Permissions?
Effective permissions are the actual permissions that are
granted to the specified user or group:
• Permissions are cumulative, including permissions
assigned to the user account and the group account
• Explicitly deny permissions override allow permissions
• Explicitly allow permissions override explicit
deny permissions
• Object owners can always change permissions
Object owners can always change permissions
• Special identities are not used when this tool calculates
special permissions
What Is Delegation of Control?
Assigns the responsibility of managing Active Directory
objects to another user or group
• Delegated administration:
Eases administration by
distributing routine administrative
tasks
Provides users or groups more
control over local network
resources
Eliminates the need for multiple
administrative accounts
OU1
OU2
Admin2
Admin1
OU3
Domain
Admin3
Discussion: Scenarios for Delegating Control
• What are the benefits of delegating administrative
permissions?
• How would you use delegation of control in your
organization?
Demonstration: Configuring Delegation of Control
In this demonstration, you will see how to configure
delegation of control
Lesson 5: Configuring AD DS Trusts
• What Are AD DS Trusts?
• AD DS Trust Options
• How Trusts Work Within a Forest
• How Trusts Work Between Forests
• Demonstration: Configuring Trusts
• What Are Universal Principal Names?
• What Are the Selective Authentication Settings?
• Demonstration: Configuring Advanced Trust Settings
What Are AD DS Trusts?
Provide a mechanism for users to gain access to resources
in another domain
Trust characteristics:
• Transitive – the trust relationship extends beyond a two-domain
trust to include other trusted domains
• Trust direction – the trust direction defines the account domain
and the resource domain
• Authentication protocol – the protocol that you use to establish
and maintain the trust
AD DS Trust Options
Tree/Root
Trust
Forest
Trust
Parent/Child
Trust
Shortcut Trust
Realm
Trust
External
Trust
How Trusts Work Within a Forest
Forest Root
Domain
Tree One
Tree Root
Domain
Domain 1
Domain A
Domain 2
Tree Two
Domain B
Domain C
How Trusts Work Between Forests
Forest trust
6
Global
catalog
Global
catalog
contoso.com
WoodgroveBank.
com
4
2
5
3
1
Vancouver
EMEA.WoodgroveBank.com
Seattle
7
8
9
NA.Contoso.com
Demonstration: Configuring Trusts
In this demonstration, you will see how to configure
shortcut, external, and forest trusts
What Are User Principal Names?
• A UPN is a logon name that includes the user logon name
and a domain suffix
• The domain suffix can be the user’s home domain,
any other domain in the forest, or a custom domain name
• Additional UPN domain suffixes can be added
• UPNs must be unique in a forest
UPN suffixes can be used for routing authentication requests between
trusted forests:
• UPN suffix routing is automatically disabled if the same
UPN suffix is used in both forests
• You can manually enable or disable name suffix routing
across trusts
What Are the Selective Authentication Settings?
Selective authentication:
• Limits which computers can be accessed by
users from a trusted domain, and which users
in the trusted domain can access the computer
• Configured on the security descriptor of the
computer object located in Active Directory
To configure selective authentication:
• Configure the forest or external trust to use
selective rather than domain wide authentication
• Configure the computer accounts for
selective authentication
Demonstration: Configuring Advanced
Trust Settings
In this demonstration, you will see how to configure
advanced trust settings
Lab B: Configuring Active Directory Delegation
and Trusts
• Exercise 1: Delegating Control of AD DS Objects
• Exercise 2: Configuring AD DS Trusts
Logon information
6425A-VAN-DC1,
Virtual machines
6425A-NYC-DC2
6425A-NYC-SVR1
User name
Administrator
Password
Pa$$w0rd
Estimated time: 20 minutes
Lab B Review
• After the trusts are configured as described in the lab,
what resources will users in Woodgrove Bank be able to
access in the NorthwindTraders.com domain?
• How would you configure a forest trust with another
organization if the organization does not provide you with
their administrator credentials?
Module Review and Takeaways
• Review questions
• Considerations for configuring Active Directory objects
• Tools
Beta Feedback Tool
Beta feedback tool helps:
•
•
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
Walkthrough of the tool
Beta Feedback
Overall flow of module:
•
Which topics did you think flowed smoothly from topic to
topic?
Was something taught out of order?
Pacing:
•
Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
Learner activities:
•
Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
that really made you think? Were there questions you
thought weren’t helpful?