possible for a user to have several layers of GPOs applied, it is very possible to have conflicting policies.This section discusses how to evaluate which policy will ultimately apply. The first concept that needs to be covered is the order in which policies are applied. The first rule to remember is that a policy always overrides a profile setting.This becomes a factor as users might be moved from one OU where they use roaming profiles that allow the user a lot of liberty to configure their own settings.As these users are moved to another OU where the users’ privileges are more controlled, they might notice that the user profile settings are overwritten by the OU policies. The next concept is the order of the application of polices. Group policy is applied in this order: ■ Local computer policy ■ Site policy ■ Domain policy ■ OU policies, starting with the parent OU and working inward toward the secu- rity object through the child OUs As an administrator, you still have further control over the application of policies. Windows Server 2003 Active Directory has two settings that help you with this control: No Override and Block Inheritance.The No Override setting is set to prevent a child OU policy setting from overwriting the policy setting of the parent. It does not apply if the policy setting is not set in the parent GPO. The Block Inheritance setting allows you to control the inheritance of a policy set- ting in the parent by blocking it from being applied to the child. Even though you can set Block Inheritance, if the No Override option is set, No Override will be the setting that takes effect. TEST DAY TIP You might encounter questions on the exam that require you to evaluate a number of different GPOs applied at site, domain, and OU level and determine the effective policy for a particular user, computer, or OU. It is helpful, in these situations, when there are multiple nested OUs, to draw a diagram of the OU structure to help you see the relationships between parent and child containers. www.syngress.com Working with Trusts and Organizational Units • Chapter 5 411 256_70-294_05.qxd 9/4/03 4:30 PM Page 411 Summary of Exam Objectives In this chapter, we covered several of the Microsoft exam objectives.The first of these objectives is to establish trust relationships.Trust relationships are the relationships estab- lished between domains, trees, and forests so users in one domain can access the resources in another domain.This could be accomplished by creating new user accounts for the people who need to access the resources, but doing so would add to the administrative overhead of the domain. Microsoft developed a better solution: trust relationships. Trusts come in many flavors to meet the needs of the situation where users in one domain need access to the resources in another domain. First, there are the default trusts created between parent and child domains.These trusts are automatically created to simplify usage of resources in a tree.The network administrator can create additional types of trusts such as external, shortcut, realm, and forest trusts. External trusts link two external domains. Shortcut trusts simplify the authentication paths needed to authenticate users. Realm trusts are created to connect a non-Windows network to a Windows Server 2003 domain. Forest trusts link forests together in the enterprise. As you create these additional trust types, you can determine whether the trust will work in one direction only, or if it can work in both directions.When the trust works in both directions, it is called a two-way or bidirectional trust, and users in both domains have access to resources in both domains. Another issue is whether the trust is transitive. A transitive trust ”passes” through one trusted domain to another. A transitive trust implies a trust relationship when more than two domains are involved. If Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A trusts Domain C.This is sometimes not the effect you want when creating trusts.The administrator has control over the transitive nature of the trust. As a further pro- tection, SID filtering helps to prevent against elevation of privelege attacks that could potentially be launched by rogue users who have administrative access in the trusted domain. The second part of this chapter covered working with organizational units (OUs). An OU is a container used to organize the resources and users of the domain. OUs can contain computers, users, groups of users, printers, shared directories, and other OUs. As the corpo- rate infrastructure shifts, it is easy to move objects inside the Active Directory structure from one OU to another. One of the major reasons for creating an OU is to apply policy settings that affect the Windows environment, security, and applications to the members of the OU.This is accom- plished using Group Policy Objects (GPOs). Another major reason for creating OUs is to be able to delegate control to a local manager or supervisor.This empowers local supervisors with the ability to manage the users and computers within their realm of control. Trusts and OUs are both important components of a Windows Server 2003 network, and thus it is important to understand both, not only to master the objectives of Exam 70- 294, but to perform the duties of a network administrator. www.syngress.com 412 Chapter 5 • Working with Trusts and Organizational Units 256_70-294_05.qxd 9/4/03 4:31 PM Page 412 Exam Objectives Fast Track Working with Active Directory Trusts  Trusts allow users in one domain to access resources in another domain without having to create additional accounts in the domain with the resources.  Whenever a child domain is created, two-way transitive trusts are automatically created between the parent and the child.  Realm trusts are created to join a Windows Server 2003 domain to a non- Windows Kerberos realm.  Forest trusts are created between the root domains of two forests to allow users in one forest to access resources in the other forest.  SID filtering is a security device that uses the domain SID to verify each security principal. Working with Organizational Units  OUs are Active Directory containers that can have users, groups, printers, shared folders, computers, and other OUs as members.  OUs are created to help organize objects in the Active Directory; they are not security principals.  The smallest scope to which a GPO can be assigned is an OU.  Control of the OU can be delegated to other users to simplify the task of administration. Planning an OU Structure and Strategy for Your Organization  Create separate domains when you need decentralization of administrative functions and for GPOs that use different Password and Account Lockout Policies.  You must delegate control over an OU for others to be able to manage the OU.  GPOs are applied first to the local computer, then to the site, then to the domain, then to parent OUs, and finally to child OUs.  You can control application of GPOs to child domains by using Block Inheritance or by setting No Override. www.syngress.com Working with Trusts and Organizational Units • Chapter 5 413 256_70-294_05.qxd 9/4/03 4:31 PM Page 413 Q: What are the differences between external, realm, and shortcut trusts? A: An external trust is created to establish a relationship with a domain outside your tree or forest.A realm trust is created to establish a relationship with a non-Microsoft net- work using Kerberos authentication. A shortcut trust is used to optimize the authenti- cation process. Q: What type of trust is needed to have users in a non-Windows Kerberos realm use resources in a Windows 2003 domain? A: A realm trust will allow users in the non-Windows Kerberos realm to have access to the resources in a Windows 2003 domain. Q: What type of trust needs to be created between the root domain and a domain that is several layers deep inside the same tree? A: None.Transitive two-way trusts are automatically created between the layers of the tree structure. Q: What is the difference between implied, implicit, and explicit trusts? A: An implicit trust is one that is automatically created by the system. An example is the trusts created between parent and child domains. An explicit trust is one that is manu- ally created.An example is a forest trust between two trees. An implied trust is one that is implied because of the transitive nature of trusts. An example is the trust between two child domains that are in different trees, and a tree-root trust was created between the roots of the tress. Q: What exactly does SID filtering accomplish? A: SID filtering is used to secure a trust relationship where the possibility exists that someone in the trusted domain might try to elevate his or her own or someone else’s privileges. www.syngress.com 414 Chapter 5 • Working with Trusts and Organizational Units Exam Objectives Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com. 256_70-294_05.qxd 9/4/03 4:31 PM Page 414 Q: What is the difference between an OU, site, and domain. A: All three are containers to which a GPO can be assigned.The domain is the basic building block of the organization. It can contain the other container types, site and OUs.The site is a container that will represent the physical layout of the organization. An OU is a logical container that can be used to implement security policies, run scripts, deploy applications, and delegate authority for granular administrative control. Q: What is the difference between an OU and a security principal? A: A security principal is a user, group, computer, or service that holds an account and can be given access to resources. An OU is a container that is used to organize objects in the Active Directory. OUs are also boundary units that are used to apply the security settings from a GPO. Q: How and why is control of an OU delegated? A: Control over a GPO is delegated to put the responsibility for the OU in the appro- priate hands. Control is often delegated to the manager or supervisor responsible for the users and computers in the OU.You delegate control by right-clicking on the OU In Active Directory Users and Computers and selecting Delegate Control from the menu.This launches the Delegation of Control wizard.You can also set the user account that has management responsibilities from the Managed By tab in the OU’s properties. Q: How are GPOs applied? A: GPOs applied to user configuration are applied as part of the logon process, whereas GPOs applied to computer configuration are applied as part of the boot process. First, any GPOs linked to the local computer are applied, followed by the site, then the domain, and finally the OUs. GPOs linked to the parent OU are applied first followed by the GPOs linked to the child. If a conflict exists in the settings of the various GPOs, the one applied last takes precedence. www.syngress.com Working with Trusts and Organizational Units • Chapter 5 415 256_70-294_05.qxd 9/4/03 4:31 PM Page 415 Working with Active Directory Trusts 1. You are administering two domains, mycompany.com and denver.hr.mycompany.com. Users in denver.hr.mycompany.com need to access resources in mycompany.com.You want to optimize the trust relationships.What type of trust should you create to allow this? A. Cross-domain trust B. Shortcut trust C. External trust D. None 2. Your company, mycompany.com, is merging with the yourcompany.com company. The details of the merger are not yet complete.You need to gain access to the resources in the yourcompany.com company before the merger is completed.What type of trust relationship should you create? A. Forest trust B. Shortcut trust C. External trust D. Tree Root trust 3. Your boss just informed you that your company will be participating in a joint ven- ture with a partner company. He is very concerned about the fact that a trust relation- ship needs to be established with the partner company. He fears that an administrator in the other company might be able to masquerade as one of your administrators and grant himself privileges to resources.You assure him that your network and its resources can be protected from an elevated privilege attack.Along with the other security precautions that you will take, what will you tell your boss that will help him rest easy about the upcoming scenario? A. The permissions set on the Security Accounts Manager (SAM) database will pre- vent the other administrators from being able to make changes. www.syngress.com 416 Chapter 5 • Working with Trusts and Organizational Units Self Test A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 256_70-294_05.qxd 9/4/03 4:31 PM Page 416 B. The SIDHistory attribute tracks all access from other domains.Their activities can be tracked in the System Monitor. C. The SIDHistory attribute from the partner’s domain attaches the domain SID for identification. If an account from the other domain tries to elevate its own or another user’s privilege, the SID filtering removes the SID in question. D. SID filtering tracks the domain of every user who accesses resources.The SIDHistory records this information and reports the attempts to the Security log in Event Viewer. 4. You recently completed a merger with yourcompany.com. Corporate decisions have been made to keep the integrity of both of the original companies; however, manage- ment has decided to centralize the IT departments.You are now responsible for ensuring that users in both companies have access to the resources in the other com- pany.What type of trust should you create to solve the requirements? A. Forest trust B. Shortcut trust C. External trust D. Tree Root trust 5. You recently created a trust relationship with a partner company for collaboration on a joint project.This partner company has many such joint projects and has many trust relationships with other companies.You created a share containing all the files needed for the joint project.You worked with the partner company’s administrator and added your project members to one of his existing universal groups that contains all of the members in his domain who need access to the project files.You added them to the permissions on the folder and the permissions on the share.You granted the universal group Read access to the share permission and Read & Execute access to the folder via NTFS permissions. SID Filtering has been enabled.The users in the universal group are now complaining that they cannot gain access to the project’s files.What do you need to do to fix the problem? A. You need to upgrade the level of permissions on the folder to Modify so that the universal group can have access. B. You need to upgrade the level of permissions to Change on the share so that the universal group can have access. C. You need to break the trust relationship and recreate it; it has a corrupted file. D. You need to have the domain administrator from the partner domain verify that only members from his domain are in the universal group www.syngress.com Working with Trusts and Organizational Units • Chapter 5 417 256_70-294_05.qxd 9/4/03 4:31 PM Page 417 Working with Organizational Units 6. The development team of your company has started a new research project.They want to ensure that only the members of their project team are allowed to see the new direc- tories that they create.You created a new OU that contains the user accounts of the development team, the computers they will be using, a shared folder where they are going to place their research documents, and several printers that are to be isolated from the rest of the company.They are concerned about who will have access to the new directories. How will you protect the directories from unauthorized access? A. Create a GPO that will limit access to the directories. Apply the GPO to the new OU. B. Create a GPO that will limit access to the directories. Apply the GPO to the domain. C. Create a security group that contains the members of the research group. Remove the Everyone group from the ACL.Add the new group to the ACL and grant it the appropriate permissions. D. Do nothing. Since the directories and files are part of an OU, no one outside the OU can access them. 7. You created three OUs for your domain: one called Corp, and two child OUs called Sales and Te c h .You create two GPOs, one called Desktop the other called Network.The Desktop GPO specifies the desktop settings for all users.The Network GPO specifies the network and Registry policies.The Registry policy prohibits users from being able to edit the Registry.You first apply the Desktop GPO to the Corp OU and then apply the Network GPO to the Corp OU.You want the members of the Tech OU to be able to modify Registry settings.What should you do? A. Nothing; because the GPOs were not applied to the Tech OU, they will not affect the users. B. Nothing; because you applied the Desktop GPO first, the Desktop GPO will not take effect. C. You should set No Override on the Tech OU so that its settings are not over- ridden. D. You should set Block Inheritance on the Tech OU so that the settings from the parent OU are not applied to the child OU. 8. Your Active Directory domain has one site and five OUs. Marketing and Technical are child OUs to the Corp OU.The Marketing OU is a parent to the Sales and PR OUs. You are using GPOs to configure environment and security policies on the network. The following restrictions are in place: www.syngress.com 418 Chapter 5 • Working with Trusts and Organizational Units 256_70-294_05.qxd 9/4/03 4:31 PM Page 418 ■ Corp OU Disable Registry editing tools for all users ■ Marketing OU Disable modification of network connections for all users ■ Technical OU Corporate logo as desktop wallpaper for all users ■ Sales OU 3D Pipes screensaver for all users ■ PR OU High Contrast #1 color scheme for all users Which restriction or restrictions will be in place for users in the Sales OU? (Choose all that apply.) A. Disable Registry editing tools for all users. B. Disable modification of network connections for all users. C. Corporate logo as desktop wallpaper for all users. D. 3D Pipes screensaver for all users. E. High Contrast #1 color scheme for all users. 9. You have an OU called Support.You have a GPO called RegEdit.The only setting in the RegEdit GPO is that the use of the Registry editing tools has been disabled in the User Configuration node. For performance reasons, the decision has been made to limit the numbers of GPOs that are processed at logon.The decision has been made to remove the requirement to disable the use of the Registry editing tools.What should your course of action be to implement the new decisions? A. Remove the RegEdit GPO from the Support OU. B. Create a new GPO that enables the use of the Registry editing tools. Apply the new GPO to the Support OU. C. Edit the Registry on the computers used by the Support OU that will allow for use of the Registry editing tools. D. Configure a local GPO to allow the use of the Registry editing tools. Set the No Override option to this policy. 10. You created three OUs for your domain: one called Corp, and two child OUs called Sales and Te c h .You create two GPOs, one called Desktop and the other called Network. The Desktop GPO specifies the desktop settings for all users.The Network GPO specifies the network and Registry policies.The Desktop policy prohibits users from being able to change their wallpaper.You first apply the Desktop GPO to the Corp OU, and then apply the Network GPO to the Corp OU.You delegated control of the OU to the senior member of the Tech group. Later, the Tech OU manager modifies the Desktop GPO to allow his users to change their wallpaper.What should you do to ensure that their changes will not take effect? www.syngress.com Working with Trusts and Organizational Units • Chapter 5 419 256_70-294_05.qxd 9/4/03 4:31 PM Page 419 A. Nothing, since the GPOs were not applied to the Tech OU, they will not affect the users. B. You should set No Override on the Tech OU so that its settings are not over- ridden. C. You should set No Override on the Corp OU so that its settings are not over- ridden. D. You should set Block Inheritance on the Tech OU so that the settings from the parent OU are not applied to the child OU. 11. Your network consists of a single domain and five OUs.The parent OU is named Corp. Corp has two child OUs, First Floor and Second Floor.The First Floor OU has one child OU, Sales.The Second Floor OU has one child OU, Administration. All of the company’s DCs are members of the Corp OU.The First Floor and Second Floor OUs contain the resources that belong to their respective floors.The Sales OU has nonadministrative computers, users, and groups.The Administration OU has the administration computers, users, and groups.You need to design a domainwide security policy that will accomplish the following goals: ■ All users need to have the same password and lockout policy. ■ Audit policies are required for only the DCs. ■ The nonadministrative computers do not need the same level of security applied to them as is required for the administrative computers. ■ The number of group policies to be processed at logon needs to be minimized. You take the following actions: ■ Create a single GPO. ■ Import a security template for the DCs. ■ Link the GPO to the domain. Which of the desired results are achieved by your actions? A. All users have the same password and lockout policy. B. Audit policies implemented only on the DCs. C. The nonadministrative computers have the same level of security applied to them as is required for the administrative computers. D. The number of group policies to be processed at logon is minimized. www.syngress.com 420 Chapter 5 • Working with Trusts and Organizational Units 256_70-294_05.qxd 9/4/03 4:31 PM Page 420 [...]... defined as the practice of transferring data from a data store present on a source computer to an identical data store present on a destination computer to synchronize the data In a network, the directory data must live in one or more places on the network to be equally available to all users.The Active Directory directory service manages a replica of directory data on one or more DCs, ensuring the availability... worry about memorizing every detail for this particular exam What you do have to know are the basics of how each role and services of Active Directory Sites works, and how Active Directory Sites can be used efficiently in terms of data transmission as part of a large network www.syngress.com 2 56 _70-294 _ 06. qxd 9/5/03 3:29 PM Page 427 Working with Active Directory Sites • Chapter 6 Replication Replication... location of domain controllers in various sites A Domain Name System (DNS) server recognizes each domain that is present in a particular site If your network requires more than one domain, you can easily create multiple domains Figure 6. 2 illustrates the relationship between sites and domains in a network, and helps us to understand that a site can have one or more domains, and a domain can have one or... administrator needs only to maintain one account per user EXAM WARNING Make sure you are familiar with the advantages of the single sign-on feature and how it works www.syngress.com 427 2 56 _70-294 _ 06. qxd 428 9/5/03 3:29 PM Page 428 Chapter 6 • Working with Active Directory Sites Windows Server 2003 uses two methods to carry out authentication: I Interactive logon authentication I Network authentication... logical structure of the organization In Active Directory, sites map the physical structure of a network, while domains map the logical or administrative structure of an organization.This partitioning of physical and logical structure offers the following advantages: I You can develop and manage the logical and physical structures of your network independently I You do not have to base domain namespaces... of Active Directory Site planning enables you to publish site information in the directory for use by applications and services Generally, the Active Directory consumes the site information.You’ll see how replication impacts site planning later in the chapter Criteria for Establishing Separate Sites When you initially create a domain, a single default Active Directory site called Default-SiteFirst-Name... open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools | Active Directory Sites and Services The Active Directory Sites and Services console appears as shown in Figure 6. 4 Figure 6. 4 The Active Directory Sites and Services Tool 2 Highlight the Sites folder in the left-hand tree pane of the Active Directory Sites and Services console Right-click and select... Windows Server 2003 Active Directory A site consists of multiple Internet Protocol (IP) subnets linked together by rapid and reliable connections.The primary role of sites is to increase the performance of a network by economic and rapid transmission of data.The other roles of sites are replication and authentication.The Active Directory physical structure manages when and how the authentication and replication... DAY TIP As a network administrator, you must be familiar with the various authentication mechanisms offered by Active Directory Sites You needn’t worry about memorizing every detail for this particular exam What you do have to know are the basics of how each of the authentication mechanisms of the Active Directory Sites works, and how Active Directory Sites can be used efficiently in terms of user authentication... Page 439 Working with Active Directory Sites • Chapter 6 A site is also renamed when a network of an organization is expanded by one or more sites Even if an organization is located in a single location, it makes sense to rename the Default-First-Site-Name, because you never know when the network will expand Renaming a site enables administrators to differentiate sites present in a network easily and . Directory physical structure manages when and how the authen- tication and replication must take place.The Active Directory physical structure allows the management of Active Directory replication scheduling. computer.The information such as user’s name and password are verified with the data available in the system. If the system finds a match, access is granted and an access token is generated that is used. Chapter 5 • Working with Trusts and Organizational Units 2 56 _70-294 _05.qxd 9/4/03 4:31 PM Page 420 Planning an OU Structure and Strategy for Your Organization 12. Your Active Directory domain