Planning Authentication and Authorization
Authentication involves checking that users are who they say they are. It uses username and
password or a security certificate installed on a smart card. Authorization determines whether
a user has access to resources through permissions or administrative rights through group
membership and delegation. Authorization can happen within a domain, across a domain
tree, or between forests. It involves the SAM, access control lists (ACLs), and protocols such as
MORE INFO Kerberos authentication
For more information about Kerberos authentication, see http://technet2.microsoft.com
this is a Windows Server 2003 article, it is valid for Windows Server 2008, as well.
Multifactor Authentication and Authorization
The network community is always happy to debate when a scenario involves multifactor
authentication and when it involves multifactor authorization. Ignore such debates. You have
an examination to pass.
214 Chapter 4 Designing Active Directory Administration and Group Policy Strategy
Multifactor authentication occurs when you must use two or more distinct methods to authenticate
an identity. For example, you are logged on to a domain with an administrative-level
account. You need to access a standalone Berkley Internet Daemon (BIND) server through
Remote Desktop. You are asked for credentials. They are the same credentials that you used to
log on to the domain, but you need to enter them again. This is multifactor authentication.
Multifactor authorization occurs when you need to authenticate two people to accomplish a
stated aim. For example, you need to create a two-way forest trust between the contoso.internal
and litware.internal forests. You create one end of the trust logged on to the contoso.internal forest
as Kim_Akers. To create the other end, you need to provide the credentials for Tom_Perry
in the litware.internal forest. This is multifactor authorization.
Using Password Authentication
You can authenticate a user through a username and password. Before you plan a password
policy, you need to know what the default settings are. Figure 4-23 shows the default settings
for the contoso.internal domain.
Figure 4-23 Default password settings
As an experienced administrator, you should be familiar with password settings. However, you
might not be aware of the fine-grained password policies in Windows Server 2008. This topic
was discussed in the 70-646 TK. If you studied it for that examination, please treat this section
Lesson 2: Designing Enterprise-Level Group Policy Strategy 215
Configuring Fine-Grained Password Policies
As a first step in planning fine-grained password and account lockout policies, decide how
many password policies you need. Typically, your policy could include at least 3 but seldom
more than 10 Password Settings Objects (PSOs). At a minimum, you would probably want to
configure the following:
■ An administrative-level password policy with strict settings: for example, a minimum
password length of 12, a maximum password age of 28 days, and password complexity
■ A user-level password policy with, for example, a minimum password length of 6, a maximum
password age of 90 days, and password complexity requirements not enabled.
■ A service account password policy with a minimum password length of 32 characters
and complexity requirements enabled. (Service account passwords are seldom typed
in.) Because of their complexity, service account passwords can typically be set not to
expire or to have very long password ages.
You also need to look at your existing group structure. If you have existing Administrators and
Users groups, there is no point creating new ones. Ultimately, you need to define a group and
Active Directory structure that maps to your fine-grained password and account lockout policies.
You cannot apply PSOs to OUs directly. If your users are organized into OUs, consider creating
shadow groups for these OUs and then applying the newly defined fine-grained password and
account lockout policies to them. A shadow group is a global security group that is logically
mapped to an OU to enforce a fine-grained password and account lockout policy. Add OU
users as members to the newly created shadow group and then apply the fine-grained password
and account lockout policy to this shadow group. If you move a user from one OU to
another, you must update user memberships in the corresponding shadow groups.
NOTE Shadow groups
You will not find an Add Shadow Group command in Active Directory Users and Computers. A
shadow group is simply an ordinary global security group that contains all the user accounts in one
or more OUs. When you apply a PSO to a shadow group, you are effectively applying it to users in
the corresponding OU.
Microsoft applies PSOs to groups rather than to OUs because groups offer better flexibility for
managing various sets of users. Windows Server 2008 AD DS creates various groups for
administrative accounts, including Domain Admins, Enterprise Admins, Schema Admins,
Server Operators, and Backup Operators. You can apply PSOs to these groups or nest them in
a single global security group and apply a PSO to that group. Because you use groups rather
than OUs, you do not need to modify the OU hierarchy to apply fine-grained passwords. Modifying
an OU hierarchy requires detailed planning and increases the risk of errors.
216 Chapter 4 Designing Active Directory Administration and Group Policy Strategy
If you intend to use fine-grained passwords, you probably need to raise the functional level of
your domain. To work properly, fine-grained password settings require a domain functional
level of Windows Server 2008. Planning domain and forest functional levels is discussed in
Chapter 2. Changing functional levels involves irreversible changes. You need to be sure, for
example, that you will never want to add a Windows Server 2003 DC to your domain.
By default, only members of the Domain Admins group can create PSOs and apply a PSO to
a group or user. You do not, however, need to have permissions on the user object or group
object to be able to apply a PSO to it. You can delegate Read Property permissions on the
default security descriptor of a PSO to any other group (such as help desk personnel). This
enables users who are not domain administrators to discover the password and account lockout
settings applied through a PSO to a security group.
You can apply fine-grained password policies only to user objects and global security groups
(or inetOrgPerson objects if they are used instead of user objects). If your plan identifies a group
of computers that requires different password settings, consider techniques such as password
filters. Fine-grained password policies cannot be applied to computer objects.
If you use custom password filters in a domain, fine-grained password policies do not interfere
with these filters. If you plan to upgrade Windows 2000 Server or Windows Server 2003
domains that currently deploy custom password filters on DCs, you can continue to use those
password filters to enforce additional password restrictions.
If you have assigned a PSO to a global security group, but one user in that group requires special
settings, you can assign an exceptional PSO directly to that particular user. For example,
the CEO of Northwind Traders is a member of the senior managers group, and company policy
requires that senior managers use complex passwords. However, the CEO is not willing to
do so. In this case, you can create an exceptional PSO and apply it directly to the CEO’s user
account. The exceptional PSO will override the security group PSO when the password settings
(msDS-ResultantPSO) for the CEO’s user account are determined.
■ By default, members of which group can create PSOs?
Quick Check Answer
■ Domain Admins
Finally, you can plan to delegate management of fine-grained passwords. When you have created
the necessary PSOs and the global security groups associated with these PSOs, you can
delegate management of the security groups to responsible users or user groups. For example,
a human resources (HR) group could add user accounts to or remove them from the managers
group when staff changes occur. If a PSO specifying fine-grained password policy is associated
Lesson 2: Designing Enterprise-Level Group Policy Strategy 217
with the managers group, in effect the HR group is determining to whom these policies are
MORE INFO Fine-grained password and account lockout policy configuration
For more information about fine-grained password and account lockout policies, see
Using Smart Card Authentication
If you are using smart cards in your organization to provide additional security and control
over user credentials, your users can use those smart cards with authentication credentials to
obtain rights account certificates (RACs) and use licenses from an Active Directory Rights
Management Services (AD RMS) server (or more commonly in the enterprise environment, an
AD RMS cluster), provided a Secure Sockets Layer (SSL) certificate has already been installed.
MORE INFO AD RMS cluster
For more information about installing an AD RMS cluster, see http://technet2.microsoft.com
To use smart card authentication, you must also add the Client Certificate Mapping Authentication
role service in Server Manager. This is part of the Web Server (IIS) server role. Your next
step is to configure the authentication method in IIS. Perform these steps to do so.
1. In Internet Information Services (IIS) Manager, expand the server name in the console
tree and, in the results pane of the server Home page, double-click Authentication to
open the Authentication page.
2. In the results pane of the Authentication page, right-click Active Directory Client Certificate
Authentication, and then choose Enable.
3. Enable client authentication for the Web site that is hosting AD RMS. In IIS Manager,
expand the server name in the console tree, expand Sites, and then expand the Web site
that is hosting AD RMS. By default, the Web site name is Default Web Site.
4. In the console tree, expand _wmcs, right-click either the certification virtual directory (to
support RACs) or the licensing virtual directory (to support user licenses), and then
choose Switch To Content View.
5. In the results pane, right-click certification.asmx or license.asmx as appropriate, and then
choose Switch To Features View.
6. In the results pane on the Home page, double-click SSL Settings, and choose the appropriate
client certificates setting (Accept or Require).
218 Chapter 4 Designing Active Directory Administration and Group Policy Strategy
Accept client certificates if you want clients to have the option to supply authentication
credentials by using either a smart card certificate or a username and password. Require
client certificates if you want only clients with client-side certificates such as smart cards
to be able to connect to the service.
7. Click Apply. If you want to use client authentication for both certification and licensing,
repeat this procedure but select the alternate virtual directory the second time.
8. Close IIS Manager. If you are using an AD RMS cluster, repeat the procedure for every
other server in the cluster.
Your next task is to force the authentication method to use Client Certificate Mapping Authentication
for the AD RMS cluster. Before you do that, back up the applicationhost.config file in
the %windir%\system32\inetsrv\config folder.
1. Open an elevated command prompt, and change the directory to %windir%\system32
2. Enter notepad applicationhost.config and locate the section similar to Default Web
3. If you want to allow smart card authentication in addition to Windows authentication,
access sslFlags=”Ssl, SslNegotiateCert, SslRequireCert, Ssl128″
access sslFlags=”Ssl, SslNegotiateCert, Ssl128″
4. Add a new line under windowsAuthentication enabled=”true.” In this line, type:
5. If you want to allow only smart card authentication, ensure that SSL client authentication
with IIS is required. Add a new line under windowsAuthentication enabled=”true.” In
this line, type:
7. Click File, choose Save, and then close Notepad.
8. In the command prompt window, enter iisreset.
Note that running iisreset from a command prompt will restart the services associated
Lesson 2: Designing Enterprise-Level Group Policy Strategy 219
Again, if you are using an AD RMS cluster, you repeat the procedure for every other server in
After you have configured these settings, a user who attempts to open rights-protected content
published by the AD RMS server or cluster is prompted to provide authentication credentials
before the server or cluster provides the user with an RAC or user license.
PRACTICE Implementing Fine-Grained Password Policies
To complete this practice, the domain functional level of the contoso.internal domain must be
set to Windows Server 2008. If you are unsure how to do this, consult the Windows Server
2008 Help files.
Exercise Create a PSO
In this exercise, you will create a PSO with password policies that are not the same as the
default password policies for the contoso.internal domain. You associate this with a global security
group called special_password that contains the user Don_Hall. Do not attempt this practice
until you have raised the domain functional level of the contoso.internal domain to
Windows Server 2008. If you created a PSO while studying the 70-646 training kit, create
another one but change some of the settings.
1. Log on to the Glasgow DC with the Kim_Akers account.
2. If necessary, create a user account for Don_Hall with a password of P@ssw0rd. Create
a global security group called special_password. Make Don_Hall a member of
special_password. If you are unsure how to do this, consult the Windows Server 2008
3. In the Run box, type adsiedit.msc.
4. If this is the first time you have used the ADSI Edit console on your test network, rightclick
ADSI Edit, and then choose Connect To. Type contoso.internal in the Name box,
and then click OK.
5. Double-click contoso.internal.
6. Double-click DC=contoso,DC=internal.
7. Double-click CN=System.
8. Right-click CN=Password Settings Container. Choose New. Choose Object, as shown in
220 Chapter 4 Designing Active Directory Administration and Group Policy Strategy
Figure 4-24 Creating a password settings object
9. In the Create Object dialog box, ensure that msDS-PasswordSettings is selected. Click Next.
10. In the Value box for the CN attribute, type PasswdSettings01. Click Next.
11. In the Value box for the msDS-PasswordSettingsPrecedence attribute, type 10. Click Next.
12. In the Value box for the msDS-PasswordReversibleEncryptionEnabled attribute, type
FALSE. Click Next.
13. In the Value box for the msDS-PasswordHistoryLength attribute, type 6. Click Next.
14. In the Value box for the msDS-PasswordComplexityEnabled attribute, type TRUE. Click Next.
15. In the Value box for the msDS-MinimumPasswordLength attribute, type 6. Click Next.
16. In the Value box for the msDS-MinimumPasswordAge attribute, type 1:00:00:00. Click Next.
17. In the Value box for the msDS-MaximumPasswordAge attribute, type 20:00:00:00. Click Next.
18. In the Value box for the msDS-LockoutThreshold attribute, type 2. Click Next.
19. In the Value box for the msDS-LockoutObservationWindow attribute, type 0:00:15:00.
20. In the Value box for the msDS-LockoutDuration attribute, type 0:00:15:00. Click Next.
21. Click Finish.
22. Open Active Directory Users And Computers, choose View, and then choose Advanced
23. Expand contoso.internal, expand System, and then select Password Settings Container.
24. In the details pane, right-click PSO1. Choose Properties.
25. On the Attribute Editor tab, select msDS-PSOAppliesTo, as shown in Figure 4-25.
Lesson 2: Designing Enterprise-Level Group Policy Strategy 221
Figure 4-25 Selecting an attribute to edit
26. Click Edit.
27. Click Add Windows Account.
28. Type special_password in the Enter The Object Names To Select box. Click Check Names.
29. Click OK. The Multi-Valued Distinguished Name With Security Principal Editor dialog
box should look similar to Figure 4-26.
Figure 4-26 Adding the special_password global security group to PSO1
222 Chapter 4 Designing Active Directory Administration and Group Policy Strategy
30. Click OK, and then click OK again to close the PSO1 Properties dialog box.
31. Test your settings by changing the password for the Don_Hall account to a noncomplex,
six-letter password such as simple.
■ When planning a Group Policy structure, keep it as simple as possible and minimize the
use of exceptions. Do not link GPOs to OUs across site links.
■ Scope filtering enables you to apply the policy settings in a GPO to selected groups or
users in the OU.
■ You can use Group Policy to control who can install devices on client workstations and
what devices they can install.
■ You can authenticate users by username and password or by security certificates held on
smart cards. Windows Server 2008 enables you to use fine-grained password policies.
Use the following questions to test your knowledge of the information in Lesson 2, “Designing
Enterprise-Level Group Policy Strategy.” The questions are also available on the companion
CD if you prefer to review them in electronic form.
Answers to these questions and explanations of why each answer choice is correct or incorrect are
located in the “Answers” section at the end of the book.
1. You are planning your Group Policy structure. Which of the following statements represents
A. Keep the number of GPOs to an absolute minimum by having many configuration
settings in a single GPO.
B. If you have two OUs, both at geographically remote sites, that have the same
Group Policy settings, link a single GPO to both OUs.
C. Give your OUs and GPOs meaningful names.
D. Use features such as the Enforced, Security Filtering, and Loopback Policy settings
on GPOs extensively.
Lesson 2: Designing Enterprise-Level Group Policy Strategy 223
2. Which of the following interfaces are components of the Active Directory data store?
(Choose all that apply.)
3. You want to use Group Policy to control device installation in accordance with company
policy. You want administrators to be able to install any device. You do not want standard
users to be able to install any but one device that has been approved by the company.
You know the Hardware ID for that device. Which of the following configuration
steps would you implement? (Choose all that apply.)
A. Enable Prevent Installation Of Devices Not Described By Other Policy Settings.
B. Disable or do not configure Prevent Installation Of Devices Not Described By
Other Policy Settings.
C. Enable Allow Administrators To Override Device Installation Restriction Policies.
D. Disable or do not configure Allow Administrators To Override Device Installation
E. Enable Prevent Installation Of Devices That Match Any Of These Device IDs, and
add the Hardware ID of the approved device to the policy setting.
F. Enable Allow Installation Of Devices That Match Any Of These Device IDs, and
add the Hardware ID of the approved device to the policy setting.
224 Chapter 4 Review
To further practice and reinforce the skills you learned in this chapter, you can perform the following
■ Review the chapter summary.
■ Complete the case scenarios. These scenarios set up real-world situations involving the
topics in this chapter and ask you to create a solution.
■ Complete the suggested practices.
■ Take a practice test.
■ Delegation increases administrative efficiency and reduces administrative costs. It provides
both isolation and autonomy. You can assign rights to security groups and delegate
control of OUs to groups.
■ You can delegate the management of groups to a group member and delegate rights to an
OU to users or groups without granting rights to any other part of the enterprise.
■ Avoid exceptions when planning Group Policy. You can use scope filtering to apply the
policy settings in a GPO to selected groups or users in the OU. You can use Group Policy
to control device installation.
■ New features in Windows Server 2008 enable you to audit changes to Group Policy and
Active Directory structure and to use fine-grained password policies.
■ The design of your OU and GPO structure depends on how the organization is structured
(geographically or by department) and which administrative model is used.
In the following case scenarios, you will apply what you have learned about designing Active
Directory administration and Group Policy strategy. You can find answers to these questions
in the “Answers” section at the end of this book.
Case Scenario 1: Designing a Delegation Strategy
You are an enterprise administrator at Northwind Traders. You have just upgraded your
domain to Windows Server 2008. You are planning to delegate administrative tasks to members
of your team and nonadministrative tasks to security groups that contain standard user
accounts. Answer the following questions:
Chapter 4 Review 225
1. Historically, the administrator team has mostly been involved in emergency resolution,
and changes were made to AD DS that were not well documented. The technical director
requires you to maintain an audit trail of AD DS changes, including what the original
configurations are before changes are made. How do you reassure him?
2. You have identified an OU that contains several security groups. You ask one of your
administrators to create a GPO and to link it to the OU. However, the policy settings in
the GPO should apply to only two of the groups and not to the remaining groups. Your
team member is unsure how to do this. What do you advise?
3. A member of your team uses Group Policy to deploy isolation policies to a group of servers
in your organization. After deploying the servers, you have determined that the isolation
policies are not being applied to several of the servers. Which Group Policy
Management Console tool should your team member use to diagnose this problem?
Case Scenario 2: Planning Authentication and Authorization
You are the enterprise manager at Litware, Inc. Litware has recently upgraded all its DCs to
Windows Server 2008, and you are planning authentication and authorization policies that
take advantage of the new features Windows Server 2008 provides. Answer the following
1. Some members of staff (for example, the CEO) want to use simple passwords, although
the default policy for the litware.com domain enforces complex passwords. Although this
is possible in Windows Server 2003, it is difficult to configure and, therefore, was never
implemented by Litware. You are asked whether Windows Server 2008 makes this configuration
easier. What is your reply?
2. A member of your administrative team informs you that she cannot get the fine-grained
password policy to work, even though all DCs now run Windows Server 2008. What do
you advise her to do?
3. Currently, all staff at Litware can install USB flash memory devices on their client workstations
and upload and download files. The technical director sees this as a security risk
and wants only administrators to be able to install such devices. However, he does not
want to lose the ability to boost Windows Vista client performance through the Windows
ReadyBoost feature. What do you tell him?
To help you successfully master the exam objectives presented in this chapter, complete the
226 Chapter 4 Review
Designing the Active Directory Administrative Model
Do both practices in this section.
■ Practice 1 Investigate management roles. Microsoft-engineered roles for data and system
management are listed in this chapter, and a link is given for more information. Follow
this link and investigate the Internet. Find out more about these roles.
■ Practice 2 Investigate compliance auditing. This chapter discusses AD DS and Group
Policy auditing, but space prohibits a detailed discussion of every possible setting and
option. Search the Internet for more information on this topic.
Designing Enterprise-Level Group Policy Strategy
Do both practices in this section.
■ Practice 1 Work with device installation policy settings. The only good way to become
familiar with them and how they interact is to configure them and observe the results.
Experiment with these settings.
■ Practice 2 Configure PSOs. A PSO can contain a large number of settings, of which you
configured only a small subset in the practice in Lesson 2. Experiment with PSO settings
and determine the effects each has on the security policies that affect the users associated
with the GPO.
Take a Practice Test
The practice tests on this book’s companion CD offer many options. For example, you can test
yourself on just one exam objective, or you can test yourself on all the 70-647 certification
exam content. You can set up the test so that it closely simulates the experience of taking a certification
exam, or you can set it up in study mode so that you can look at the correct answers
and explanations after you answer each question.
MORE INFO Practice tests
For details about all the practice test options available, see the “How to Use the Practice Tests” section
in this book’s introduction.