Groups and AGDLP in Windows 2012 R2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we'll take a look at group accounts in Active Directory we're going to go into Active Directory users and computers to accomplish this and we'll take a look at what groups are now when you create a new domain there's already a lot of groups some of them are global some are domain local and some are even Universal we're going to talk about all the differences between those so what we want to do here first is let's take a look at what the process is for creating a group and then a little bit later we'll take a look at the best practices and how we should structure our domain in order to make it very self documenting and very easy to work with so first thing we'll do is we're going to just create a group now when we think about a group in Active Directory we're not thinking about something that benefits the users we're thinking about something that benefits us the administrators so I'm going to create a group and let's name this one accounting just for kicks I'm going to have a couple of the users that I created in an earlier video Bob Joe and Linda and Mary I'm going to have them all be members of this accounting group you can think of a group as something that all of these users have in common and we set these groups up so that we can organize them if we know that they're all in accounting perhaps there's something that we want to grant to the accounting group as a whole rather than individual now one weakness of the Windows server and Active Directory environment is that there isn't a great way to find out what permissions have been handed out there isn't a great way to go and see oh i granted Bob permission to that file on that file server way over there because all those explicit permissions are buried down in the NTFS filesystem they might be buried into shared folders or or something else because anything can receive permissions from any object so the best thing we can do for ourselves as administrators is it's very organized and very easy to track down almost like leaving yourself a trail of breadcrumbs to find out how you've set things up so we have accounting and it's going to be several of our users here and we have some group scopes and we have two groups group to group types a security group and a distribution group type the security group is a group that's created to assign permissions so if we're grouping these people together to assign permissions to something that is a security group and almost always you'll be using security groups if you're grouping people together for the purposes of email distribution that would be a distribution group but primarily our need until we get into Microsoft Exchange or some other email distribution type of setup we're primarily focused on security groups which is why it's the default later on we're going to see why grouping our users like this is going to be most appropriate for global but you can think of accounting is something that describes all of the users together they are all in the accounting department okay so we'll create this group and say ok and I'm going to click on Bob first I'll double click on it and I'm going to go to member of this lists all of Bob's group memberships I can click Add in type in accounting and hit enter and now he's in the accounting group I say ok he's in the accounting group so anything I assign as far as permissions to accounting I'm also assigning to Bob it's almost like we gave him another key in his keychain he had his Bob key that can unlock anything that bob has access to and he has an accounting key that can unlock anything that accounting has access to if I now go into this accounting group I can see that in the members list is Bob so we've seen that you can add a membership by going into the user and the member have and adding Bob as a member I'm going to show you another way to do that we can add Mary so I've been Mary here and say okay and I can add Mary and I can add all my other users directly from here which is a handy way to do it you can see all of the members in the accounting group I'll say okay another thing you can do is you can click on your users and even hold down the ctrl key and click multiple users and right click on them and say add to a group so if you have a bunch of users to select it once you can select a bunch of them right click say add to a group and you can even just start typing in accounting you don't have to type the whole thing you can say check names it'll find out if it's unique and it'll underline it showing that it was found and you can say ok the Edit group operation was successfully completed we can go back into accounting now and see that Linda Jones and Mary were both added to the group as well four people in the accounting department now now I could start assigning accounting a bunch of permissions but that's not going to make it very easy for me to figure out ultimately what accounting has permission to so there's a Microsoft recommendation called agdlp that structures the way that you should create group memberships here's kind of how it works agdlp is a Microsoft recommendation and you'll find this all over the web because this is the standard there's easy shortcut ways to do things and then there's the right standard way to do things and this is the right standard way we assign users to global groups and then instead instead of assigning those global groups the permissions directly we're going to add the global groups to domain local groups and then from there we're going to assign those domain local groups the permissions why do we do this well we can structure things a little bit better by doing so instead of just assigning accounting to a bunch of different permissions we're going to make another group in between called finance files and payroll files and things like that and then we'll assign finance files permissions right over to the finance files file share let's take a look at how that's done let's say I want to create a shared folder finance files and maybe I also want to create one called payroll files and don't worry about the accounting side of this that's not what's important here but there's two different resources we want to grant permission to the accounting group instead of just assigning accounting permission to those I'm going to make another new group and this one I'm going to make a domain local group I'm going to call it finance files and I could even choose to say modify something like that that defines exactly the permission I'm granting I make it a domain local and there's a reason for this structure and I'll show you in a minute and we're going to keep it as a security group so I'm going to call it finance files modify so now accounting has these members but now I'm going to make accounting a member of the finance files modify group the reason I want to do that is because now I'm going to make a more self documenting structure type in fi na and hit enter that's enough to make that unique so now accounting is a member of Finance files modify with this group is only purpose for this group is to assign those permissions to that one resource you're going to end up with a lot more groups by doing this method but I'll tell you what it's going to tell you exactly the permissions you're going to be handing out I'm going to go into payroll files and I'm going to go to security and finance files modify I'm going to grant the modify permission so now bob is a member of accounting who's a member of Finance files modify which is how he gets permission to this folder payroll files is going to be the same way I'm going to make a group called payroll files modify I'm going to make it two main local domain local is always the one that we're going to use to assign permissions in the agdlp structure and I'm going to go here to payroll files and I'm going to give that permission there - oops I put finance files in the wrong place I need to go and remove that one I need you payroll files here payroll files modify and then for finance files I'm going to do that permission over here okay so now the finance files modify group is what grants access to my to modify the finance files and the payroll files modify group membership is what grants access to modify the payroll files so how handy is this now in the accounting group I can go in I can see exactly who the members are and exactly what permissions they're going to get I'm going to add payroll files in here as well payroll files modify and apply that so I can quickly and easily see the members and the permissions I've granted them it's very self documenting and it makes it very easy for me to tell exactly what's going on with that group membership and I can even follow this chain on through I go in to Bob I find out what he's a member of oh he's a member of accounting I can double click right from here on to accounting and see what accounting is a member of Oh finance files modify perfect payrolls files modify the expectation is that he should be able to get into finance files and payroll files from here without any trouble so when another administrator comes along and needs to take a look at this they think Oh who's got permission to this well there should be a group that's defined with these permissions you don't have to go hunting around in here you can manage all of your permissions just from your permissions that you're granting here so here's something that happens right in your organization suddenly management comes along and needs some permission I'm going to make a new group called management this one's going to be a global group this is a department the management department comes along and they say hey I need access to some of those things that accounting has management needs to get to finance files I don't need to go and find my file server I don't need to go and find where all those our missions are assigned I can just go into management and make management a member of Finance files modify and poof they have permission so this agdlp structure seems like it's a lot of work it in the front end and it is you have to create your users which you always have to do you have to create groups which we typically would do anyway but if you choose to create domain local groups that define the permissions that you're handing out everything becomes very clear and easy to you when you go and see what does Management Group have permission to in this case they just have finance files modify so it kind of gives you a bit of a separation between actually putting in your permissions over here and then managing all of your permission structure here it's easier to track down it's easier to troubleshoot and it's easier when you're working with multiple administrators how easy would it be for you to sit down at this organization and suddenly create a new group called HR who has access to payroll files it'd be very easy you wouldn't have to go and find all of the permissions out there that they need you would be able to manage everything from this console so this is the recommendation this is Microsoft's recommendation and this is what most companies do use because it is a very good structured strategy now here's the difference between the global groups and the domain local you may have been wondering well why don't I make the accounting group a domain local or why don't I make the finance files modify group a global as well or why don't I bother with a universal and these have to do with group scope in a multi domain environment a global group can be assigned as a member of a domain local group anywhere in the forest this can be handy because if we have another domain with their own finance files this accounting group in this domain can be added to that other means finance files group users can kind of jump from one domain to another using these global groups and gain access to those other resources so it becomes really handy for us to structure things like that if you always think of global groups as a collection of users and domain local groups as a collection of permissions and then you link the two together that is the structure that you should work with it's very easy to just start throwing groups around and permissions around and it becomes a mess and very difficult to manage so get in a good habit and do this the right way from the beginning the other reason that a domain local is used for permissions is because permissions are assigned to resources resources don't move between domains resources never jump around to find users in another domain it's always users going to find resources which is why the flow works like this accounts go into global groups which help them jump into these domain local groups anywhere in the forest and gain permissions from there so that is the structure we use in Active Directory to build our group memberships
Info
Channel: Professor Hornung
Views: 12,693
Rating: undefined out of 5
Keywords: groups, agdlp, agudlp, windows server, active directory, security, distribution, global, domain local, create groups, group nesting
Id: cO2DBgGYBFE
Channel Id: undefined
Length: 16min 4sec (964 seconds)
Published: Mon Nov 14 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.