*Time for Some More users!
*The types of groups
*Setting up your users can login Anywhere in your enterprise
______________________________________________________________________
Now I will create few users and OU's in the AD users and computers.
Ex : I will create a ChicagoOU and two sub OU's ChicagoUsers (Another two sub-ous ChicagoOPS and ChicagoSales) and ChicagoComputers.
Then create few groups so we can add users to them. (Ex : ChiOps, ChiOpsManager, ChiSales, ChiSalesManager)
How many types of Groups are there in AD?
There are two core types of Groups:
A) Security Group : Security Groups allow you to grant permissions to resources
B) Distribution Group : Distribution Groups are basically Email lists, and aren't used very often. It is used in Exchange server Email Distribution group.
There are Three scopes of security Groups:
1) Global Group : Usable in any trusted domain in your forest users can only come from the home Domain.
2) Universal Group : Usable in any trusted domain in your forest users can only come from any home Domain.
3) Domain Local Group : Usable in the Domain it lives in ONLY users can only come from the home domain.
AGUDLP
*Now that we have multiple domains, we also have the challenge of making sure that we can easily provide access to resources between them.
*AGUDLP is a strategy that we can use to grant access in a more "Reusable" way.
*Here's how it works:
AGUDLP:
A-ccounts (Users) go into Global groups > The G-lobal Group becomes a member of a U-niversal Group >The Universal Group becomes a member of a D-omain L-ocal Group
P-ermissions are then granted to the Domani Local Group to network resources.
Setting Up your Groups for Access Between Domains:
*The Sales team will need access to the Sales docs folder, as the sales program will be pretty much the same throughout the company. here's what we will do to get them access to the salesDocs folder over in NewYork:
1) In the na.globomantics (child Domain) domain, all the Chicago sales user A-ccounts go into a G-lobal Group called ChicagoSales.
2) We will create a U-niversal Group in the NA domain called ALLsales and make ChicagoSales a Member of ALLsales.
3) In Globamantics.com (DC1, new york) we will create a D-omain L-ocal Group called SalesDocs and make ALLSales a member of it.
4) On the Newyork Member File-Servver we will grant P-ermissions to the Domain Local Group SalesDocsAccess to the SalesDocs folder.
Implementation
1) Add all the Sales users to ChicagoSales group.
2) Now create another group with ALLSALES and Group scope will be Universal and group type will be Security.
3) Now make ChicagoSales group member of ALLSALES. Now Right click on Chicagosales > Add to group > Type ALLSALES > ok. So ChicagoSales is a member of ALLSALES group.
4) Now go to DC1 (Globamntics.com) and create a Group "SalesDcosAccess" with "Domain local" Group scope and "Security" Group type.
5) Now make ALLSALES member of SalesDocsAccess. Now Right click on "SalesDcosAccess" group > Properties > Members > Type ALLSALES > ok. So ALLSALES is a member of "SalesDcosAccess" group.
6) Now go to File server member Server > Go to SalesDocs shared folder > Add SalesDocsAccess with Reader permissions > Share.
Note : As long as there's a Global Catalog at a Site, your users can log in with an "Email address" Style login, like sri@globmantics.com.
If there's not a Global catalog, you will need to enable Universal Group Caching on the Site. Simple, Sites> Select the site > Ntds settings > properties > check mark Universal Group Caching on the Site.
Notes:
*Security Group : Group object in AD that allows you to provide access to resources on the network.
*Distribution group : Group object in AD that acts as an email distribution list.
*Global Group - A group usable in any trusted Domain in your forest. Users can only come from the "home" domain. Can be a member of a Universal Group.
*Universal Group - A group usable in any trusted domain in your Forest. Users can only come from "Any" domain. Can be a member of Domain Local.
*Domain Local - A group usable only in the Domain it lives in. Users can only be from the Domain it lives in, but Universal Groups can be Members of the Domain Local.
Now after this course you can:
*Distinguish between Global, Universal and Domain Local Groups.
*Distinguish between Security and Distribution Groups.
*Utilize AGUDLP to provide access to resourcse across domains.
*Ensure that users can log in to another domain by either providing a Global Catalog at a Site or using the Universal Site Caching setting on a Site.
*The types of groups
*Setting up your users can login Anywhere in your enterprise
______________________________________________________________________
Now I will create few users and OU's in the AD users and computers.
Ex : I will create a ChicagoOU and two sub OU's ChicagoUsers (Another two sub-ous ChicagoOPS and ChicagoSales) and ChicagoComputers.
Then create few groups so we can add users to them. (Ex : ChiOps, ChiOpsManager, ChiSales, ChiSalesManager)
How many types of Groups are there in AD?
There are two core types of Groups:
A) Security Group : Security Groups allow you to grant permissions to resources
B) Distribution Group : Distribution Groups are basically Email lists, and aren't used very often. It is used in Exchange server Email Distribution group.
There are Three scopes of security Groups:
1) Global Group : Usable in any trusted domain in your forest users can only come from the home Domain.
2) Universal Group : Usable in any trusted domain in your forest users can only come from any home Domain.
3) Domain Local Group : Usable in the Domain it lives in ONLY users can only come from the home domain.
AGUDLP
*Now that we have multiple domains, we also have the challenge of making sure that we can easily provide access to resources between them.
*AGUDLP is a strategy that we can use to grant access in a more "Reusable" way.
*Here's how it works:
AGUDLP:
A-ccounts (Users) go into Global groups > The G-lobal Group becomes a member of a U-niversal Group >The Universal Group becomes a member of a D-omain L-ocal Group
P-ermissions are then granted to the Domani Local Group to network resources.
Setting Up your Groups for Access Between Domains:
*The Sales team will need access to the Sales docs folder, as the sales program will be pretty much the same throughout the company. here's what we will do to get them access to the salesDocs folder over in NewYork:
1) In the na.globomantics (child Domain) domain, all the Chicago sales user A-ccounts go into a G-lobal Group called ChicagoSales.
2) We will create a U-niversal Group in the NA domain called ALLsales and make ChicagoSales a Member of ALLsales.
3) In Globamantics.com (DC1, new york) we will create a D-omain L-ocal Group called SalesDocs and make ALLSales a member of it.
4) On the Newyork Member File-Servver we will grant P-ermissions to the Domain Local Group SalesDocsAccess to the SalesDocs folder.
Implementation
1) Add all the Sales users to ChicagoSales group.
2) Now create another group with ALLSALES and Group scope will be Universal and group type will be Security.
3) Now make ChicagoSales group member of ALLSALES. Now Right click on Chicagosales > Add to group > Type ALLSALES > ok. So ChicagoSales is a member of ALLSALES group.
4) Now go to DC1 (Globamntics.com) and create a Group "SalesDcosAccess" with "Domain local" Group scope and "Security" Group type.
5) Now make ALLSALES member of SalesDocsAccess. Now Right click on "SalesDcosAccess" group > Properties > Members > Type ALLSALES > ok. So ALLSALES is a member of "SalesDcosAccess" group.
6) Now go to File server member Server > Go to SalesDocs shared folder > Add SalesDocsAccess with Reader permissions > Share.
Note : As long as there's a Global Catalog at a Site, your users can log in with an "Email address" Style login, like sri@globmantics.com.
If there's not a Global catalog, you will need to enable Universal Group Caching on the Site. Simple, Sites> Select the site > Ntds settings > properties > check mark Universal Group Caching on the Site.
Notes:
*Security Group : Group object in AD that allows you to provide access to resources on the network.
*Distribution group : Group object in AD that acts as an email distribution list.
*Global Group - A group usable in any trusted Domain in your forest. Users can only come from the "home" domain. Can be a member of a Universal Group.
*Universal Group - A group usable in any trusted domain in your Forest. Users can only come from "Any" domain. Can be a member of Domain Local.
*Domain Local - A group usable only in the Domain it lives in. Users can only be from the Domain it lives in, but Universal Groups can be Members of the Domain Local.
Now after this course you can:
*Distinguish between Global, Universal and Domain Local Groups.
*Distinguish between Security and Distribution Groups.
*Utilize AGUDLP to provide access to resourcse across domains.
*Ensure that users can log in to another domain by either providing a Global Catalog at a Site or using the Universal Site Caching setting on a Site.
No comments:
Post a Comment