Trusts, global groups, local groups, and permissions are the most important

TRUSTS

By Pang-Chieh Chou, http://www.hal-pc.org

In an enterprise network, there may be more than one domain. If a user wishes to access resources in more than one domain, then there must be some form of communication between the various domains. In addition, to minimize administration, each user should have only one account in one domain.

A trust relationship allows communication between two domains so that a user may access resources in more than one domain while having only one account in one domain. Through a process called pass-through authentication, the domain controller in one domain can send an authentication request to the domain controller in another domain. A user needs to log on and provide a password only once while accessing resources in his own domain or other domains.

Trusts, global groups, local groups, and permissions are the most important concepts for the Enterprise exam. To do well on these questions, keep things simple and stick to these rules.

GLOBAL GROUP

- can contain only user accounts from one domain, namely, the domain where

global group was created

- cannot contain a global group

- cannot contain a local group

- can be placed into a local group in its own domain

- can be placed into a local group in a trusTHING domain

- can be granted permissions and rights in its own domain BUT

Microsoft generally wants you to grant permissions and rights to local groups

instead

LOCAL GROUP

- can contain users from domain where local group resides

- can contain global groups from domain where local group resides

- can contain users from trustED domains

- can contain global groups from trustED domains

- cannot contain a local group

- can be granted permissions and rights to use resources in only its own domain

Instead of assigning rights and permissions to each individual user, Microsoft

generally recommends that you group users with similar needs and assign

permissions and rights to groups. Any new user added to a group will be

granted the group's permissions and rights, making administration more

efficient.

AGLP (the Microsoft model)

Place user Accounts into global groups.

Place Global groups into local groups.

Grant Local groups Permissions.

TRUSTS

If Domain A trusts Domain B (A -> B) then,

- Domain A is the trusTHING domain (resource domain)

- Domain B is the trustED domain (account domain)

Point the arrow at ED.

THING trusts ED.

Therefore THING will allow ED to use THING's resources.

=============================================

HOW TO IMPLEMENT TRUSTS

Situation:

DomainA trusts DomainB. UserB has account in DomainB.

1) Add userB from Domain B into global group in DomainB.

2) Add DomainB\globalgroup into local group in DomainA.

3) Grant permissions and rights to local group in DomainA.

Now userB can do all of the following:

- log on to DomainB at computer in DomainB.

- log on to DomainB at computer in DomainA by using drop-down in domain menu

- access resources in DomainB

- access resources in DomainA

However, the above trust is one-way. UserA in DomainA can only

- logon on to DomainA at computer in DomainA

- access resources in DomainA

Assuming no guest accounts nor local account in DomainB, userA cannot access resources in DomainB.

==============================================

On questions involving trusts, sketching the domains, groups, and users helps tremendously.

Use a big circle to represent a domain.

Use a smaller circle to represent a global group.

Use a square to represent a local group.

Use a stick figure to represent a user account. Be sure to locate the global user account in the domain where the user account actually is created.

Point your trust arrow in the correct direction.

Remember a user can be physically in many places, but a user's global account resides in only one domain. A user can access resources in that domain where his/her account was created.

By default, a global user account in a domain is a member of the global group Domain Users. By default, the Guest user account is disabled.

Provided AGLP and trusts are properly implemented, a user whose account was created in a trustED domain can access resources in the trustED domain and resources in the trusTHING domain.

Provided AGLP and trusts are properly implemented, a user whose account was created in a trusTHING domain can access resources in the trusTHING domain.

===============================================

Two Way Trust

A two way trust is established between two domains if each domain trusts the other domain. A two way trust is simply the result of two one-way trusts between two domains. To implement a two way trust, follow AGLP and the previous guidelines for a one-way trust for both domains. Now users in one domain can access resources in the other domain and vice-versa.

===============================================================

Trusts are not Transitive

Suppose you have set up the following: Domain A trusts Domain B; Domain B trusts Domain C

Can we conclude that Domain A trusts Domain C? No. You must separately set up Domain A to trust Domain C.

==============================================================

Four Domain Models

Single Domain Model

A single domain model has the following features:

All user accounts, groups, and resources belong to one domain
Centralized administration of accounts and resources
Fewer than 40,000 accounts in domain database.

--------------------------------------------------------------------------------------------------------------------

Single Master Domain Model

A single master domain model has the following features:

All user accounts belong to a single master domain, which has fewer than 40,000 accounts.
One or more resource domains contain resources. Each resource domain trusts the master domain. (One way trust)
Centralized user account administration
Decentralized resource administration

-------------------------------------------------------------------------------------------------------------

Multiple Master Domain Model

A multiple master domain model has the following features:

Two or more master domains contain user accounts. A user account belongs to only one master domain. Each master domain contains fewer than 40,000 accounts.
All master domains trust each other. (Two way trusts between all master domains)
One or more resource domains contain resources. Each resource domain trusts every master domain. (One way trust)
Most scalable of all domain models

----------------------------------------------------------------------------------------------------------

Complete Trust Model

A complete trust model consists of a network in which every domain trusts all the other domains. That is there is a two way trust between every possible pair of domains. The number of trusts to manage can be very large if the number of domains increases.

=====================================================================

Examples:

Ex. 1 Joe has a user account in the Research domain. He wishes to access a directory on a server in the Manufacturing domain. The guest account is disabled in both domains. How can this be accomplished?

First, sketch the situation as described.

YOU do the sketch!

Joe has an account in the Research domain and can access resources in Research. However, since the Guest account is disabled in the Manufacturing domain and there is no trust yet, he will be unable to access resources in the Manufacturing domain at this time.

In order for Joe to access resources in Manufacturing, we must establish a trust relationship between the two domains. Which domain should trust which other domain? (Which way should the trust arrow point?)

Joe's user account will be allowed access in another domain, so we point the trust arrow toward his account. Therefore, the Manufacturing domain must trust the Research domain.

YOU do the sketch!

After we establish the above trust relationship, we should implement Microsoft's AGLP model. So next, we place Joe's user account into a global group in the Research domain.

YOU do the sketch!

We next place the Research\GlobalGroup into a local group in the Manufacturing domain. The local group must be granted appropriate permissions.

YOU do the sketch!

=================================================================

Ex. 2 The North domain trusts the South domain. The Guest account is disabled in both domains. The administrator in the South domain has just created a new user account named Jill. The administrators in both domains have not added Jill to any groups. Jill logs on to a computer in the North domain.

1. How could Jill log on to a computer that is not in her domain?
2. What resources may Jill access at this time?

Jill's user account is in the South domain. Jill can log on to a computer in the North domain because she can use the drop down menu for domains to log in. The domain controller in North will pass her username and password through to the domain controller in South for authentication. Since the domain controller in South authenticates her logon, she has logged on to the South domain.

YOU do the sketch!

Jill's user account is by default a member of the South\DomainUsers global group. Therefore, Jill will be able to access resources that all members of South\DomainUsers can access.

=======================================================================

Ex. 3 Your company has implemented a single master domain as follows:

Master domain: New York

Resource domains: Los Angeles, Miami, Seattle

Can users logging on to computers in the New York domain access resources in the Miami domain?
Can users logging on to computers in the Miami domain access resources in New York?

YOU do the sketch!

All users have accounts in the New York domain. Since the Miami domain trusts the New York domain, users logging on at machines in the New York domain will be able to access resources in the Miami domain.
All users have accounts in the New York domain. Therefore, a user logging on to a computer in the Miami domain has an account in the New York domain. Therefore, that user will be able to access resources in the New York domain.

Back to Enterprise Notes