1 00:00:06,290 --> 00:00:13,990 Add in groups to other groups in the process called nasty and nasty and creates a hierarchy of groups 2 00:00:14,080 --> 00:00:19,200 that supports your business rules and management rules. 3 00:00:19,210 --> 00:00:28,360 A best practice for group nest and is known as IGAD L. A which is an acronym for the following Identities 4 00:00:28,660 --> 00:00:38,260 Global groups domain local groups and access the parts of IGAD L.A. are related to the following away 5 00:00:38,620 --> 00:00:48,070 identities which are user and computer accounts are members of global groups which represent business 6 00:00:48,070 --> 00:00:57,730 roles global groups also known as Role groups are members of domain local groups which represent management 7 00:00:57,730 --> 00:01:05,560 rules for example determining who has the Reaper mission to a specific collection of folders. 8 00:01:05,600 --> 00:01:14,890 Then domain local groups also known as rebel groups they are granted access to resources in the case 9 00:01:14,890 --> 00:01:23,100 of a shared folder you grant access by ad and the domain local group to their folders a sale without 10 00:01:23,110 --> 00:01:27,690 permission that provides the appropriate level of access. 11 00:01:27,730 --> 00:01:37,960 Now in a mall to demand forest the best practice for group nesting is known as AI G U D L.A. the additional 12 00:01:37,960 --> 00:01:44,480 letter U stands for universal groups and in this case we have identities. 13 00:01:44,620 --> 00:01:50,410 Global groups universal groups demand local groups and access. 14 00:01:50,410 --> 00:01:58,030 In this case global groups from multiple domains are members of a single universal group that universal 15 00:01:58,030 --> 00:02:03,190 group is a member of domain local groups in multiple domains. 16 00:02:03,190 --> 00:02:07,380 Now let's review IGAD L.A. example. 17 00:02:07,480 --> 00:02:16,570 The figure on this slide represents a group of implementation that reflects the technical view of group 18 00:02:16,570 --> 00:02:27,400 management best practices or IGAD L.A. and the business view of a role based rule based management. 19 00:02:27,400 --> 00:02:35,770 Consider the following scenario the sales force that controls so company has just completed its fiscal 20 00:02:35,770 --> 00:02:42,380 year sales files from the previous year are in a folder called sales. 21 00:02:42,460 --> 00:02:52,180 The sales force needs read access to the sales folder additionally a team of auditors from would groove 22 00:02:52,210 --> 00:03:01,160 band which is a potential investor requiring read access to the sales folder to perform the audit. 23 00:03:01,240 --> 00:03:06,820 You can implement the security for this scenario by following these steps. 24 00:03:06,820 --> 00:03:16,000 The first step is to sign users with common job responsibilities or other business characteristics to 25 00:03:16,020 --> 00:03:21,150 Role groups which are implemented as global security groups. 26 00:03:21,280 --> 00:03:23,710 Do this separately in each domain. 27 00:03:23,830 --> 00:03:33,280 Ad sales people at Cantor also do a sales role group at auditors that would groove bank turn auditors 28 00:03:33,280 --> 00:03:34,250 roll group. 29 00:03:34,270 --> 00:03:43,080 The second step is to create a group to manage access to the sales folders with Reid permission. 30 00:03:43,090 --> 00:03:49,110 You implement this in the demand that contains the resource that is being managed. 31 00:03:49,210 --> 00:03:52,780 In this case the sales folder in the control so domain. 32 00:03:52,870 --> 00:04:03,420 Therefore you create the resource access management rule group as a domain local group named ACL sales. 33 00:04:03,470 --> 00:04:12,130 Read the third step is to add to the role groups to the resource access management rule group to represent 34 00:04:12,160 --> 00:04:13,780 the management rule. 35 00:04:13,780 --> 00:04:22,660 These groups can come from any domain in the forest or from a trusted domain such as wood group band 36 00:04:22,920 --> 00:04:31,470 global groups from trusted external domains or from any domain and then in the same forest can be member 37 00:04:31,480 --> 00:04:39,190 so a domain local group and the third step is to assign the permissions that implements the required 38 00:04:39,190 --> 00:04:40,720 level of access. 39 00:04:40,720 --> 00:04:47,320 In this case grant the allow read permission to the domain local group. 40 00:04:47,320 --> 00:04:54,730 This strategy results in two single points of management thereby reducing the management burden. 41 00:04:54,730 --> 00:05:03,610 One part of management defines who is in sales and the other point of management defines who is an auditor. 42 00:05:03,610 --> 00:05:10,320 Because these roles are likely to have access to a variety of resources beyond the sales folder. 43 00:05:10,410 --> 00:05:18,660 You have another single point of management to determine who has read access to the sales folder. 44 00:05:18,660 --> 00:05:25,340 Furthermore the sales folder might not be a single folder on a single server. 45 00:05:25,380 --> 00:05:34,020 It could be a collection of folders across multiple servers each of which assigns the allow read permission 46 00:05:34,020 --> 00:05:36,900 to the single demand local group. 47 00:05:36,950 --> 00:05:45,450 Some words about configure and a group manager the properties page of a group has a managed by tab. 48 00:05:45,450 --> 00:05:51,960 Use this to provide information about which manager is responsible for this group. 49 00:05:51,960 --> 00:06:00,900 When you add a user or group to the name field ADT s will provide information about that user such as 50 00:06:01,260 --> 00:06:04,740 office address and telephone number. 51 00:06:04,740 --> 00:06:12,560 There is also a checkbox called manager who can update membership list that allows the manager over 52 00:06:12,560 --> 00:06:15,300 the group to manage group membership. 53 00:06:15,300 --> 00:06:23,450 This is useful in distributed administrative environments in which manager are responsible for controlling 54 00:06:23,490 --> 00:06:25,470 their own department groups.