Tip:
Highlight text to annotate it
X
In this video from IT Free Training I will look at the group strategy called AGUDLP,
how it works and how you can use it in your organization.
In the last video I looked at AGDLP. This is a method of providing role based access
control in your organization. To refresh our memories, it goes like this. Accounts go into
global groups which go into domain local groups which are applied to resources as permissions.
This works well in a single domain environment or a small environment with few domains. In
a large enterprise with multiple domains, you will want to look at a different group
strategy like AGUDLP as it scales better and provides more functionally and flexibility
than AGDLP.
AGUDLP adds universal groups between global groups and domain local groups. You now have
Accounts go into global groups like before but now these global groups go into universal
groups, these universal groups go into domain local groups which then are applied to the
resources as permissions.
This seems like a lot of groups and a lot of complexity and the question is, “Is it
really worth the time and the effort?” On a large enough network there are a lot of
advantages to using AGUDLP.
Let’s look at an example of why on a large network you would need this extra complexity
and why these particular groups are chosen.
In this example there are five domains which are owned by the same parent company. Imagine
that you have a group of the top sales people. The group of top sales people are so good
that the company wants them to visit other companies and help the other sales people
become the top sales people, too. In order for this to occur, they need access to sales
information in each of the domains. Since this information is sensitive in nature, the
company does not want the average sales staff member to be able to access data from the
other companies, only the top sales people.
The easiest way to achieve this would be to create a universal group and put all the top
sales people in it. This universal group could be applied to all the shares in all the domains.
This would give all the top sales people access to the data they need. There are number of
problems with this approach.
Let’s first consider administration. Having just the one top sales group would require
the administrator or administrators to have knowledge of all the sales people that need
to be in that group. You could select one administrator in each domain to keep this
group up to date but the problem is that all administrators will have equal access. That
is, they can all add and remove users from any domain and put them into the universal
group.
The next problem to consider is replication. Universal groups are replicated using the
global catalog server. This means that the smallest change will mean the group will need
to be replicated to all domain controllers in every domain. Even though replication has
improved in newer versions of Active Directory for universal groups, in a large environment
you will want to minimize replication in your environment.
Now look at what happens when global groups are added. A global group can be created in
each of the 5 domains. These allow an administrator in each domain to have control over the users
in this group. Since the group is a global group you can be assured that administrators
from each domain are not adding users from other domains into this group. Users that
need to be added to each group will have to go though the approval process for their company
to be added to this group.
Next these global groups are added to the universal group. The universal group acts
as a container for all the global groups. Since you are assigning permissions at essentially
the forest level you want to have some control over this. This group could be controlled
by the enterprise administrators although it does not need to be. The only work required
by the person or people in charge of this group would be to change the membership of
the groups when a new global group is added or removed. In this example, this would probably
only occur when a new domain is added to the forest.
Notice that now that global groups have been put into universal groups, the universal group
only changes when a global group is removed or added to the universal group. Users can
be changed in the global groups as often as is required. Each time a user is added or
removed from one of the global groups, notice that the universal group does not change.
Since the universal group is not changing this significantly reduces the amount of replication
that occurs in your forest.
So far using AGUDLP we have been able to granular divide up administrative control and also
reduce replication and provide forest wide control of resources.
The next point to consider is why the need for the domain local group. Each administrator
in each domain has the best understanding of the servers and resources in their domain.
Let’s consider what kind of resources they have in their network.
Using a role based approach they may have groups like Invoice_Modify, General_Share_Modify,
IT_Software_Modify and Accountants_Modify. This is a short list but in a large organization
there can easily be 100’s of groups. Imagine that even the top level administrator may
not have an understanding of all the shares and servers in the organization. Huge companies
often have different IT areas to handle different locations and it is impossible for one IT
administrator to understand or know where every resource is.
For this reason, it makes sense that groups like these are created so that local administrators
can control them. If they create a new share on a server they can provide access to these
groups as required. Notice that the administrator may not have access to change the membership
of the groups but can use these groups to provide access to resources.
Without an approach like this, an administrator would require knowledge of all resources in
the domain that the universal group would need access to. In a large network no one
person would know the answer to this.
The choice of group here is a domain local group since the domain local group scope is
limited to that domain. An administrator in a different domain could not use a domain
local group in their domain and bypass security.
Notice how easy it is when a new universal group like the top sales group is created.
An administrator in each domain only needs to look at the universal groups that are available
and add these to the domain local group. Think of it like ticking boxes on a form. Like ticking
boxes on a form is used to decide what you want, the IT administrator simply needs to
add the universal group to the required domain local groups in order to provide access. If
access needs to change later on, the administrator would simply change the required domain local
membership.
Let’s review what we have learned in this video. Accounts go into global groups. This
allows administration at the domain level. Individual administrators in each domain have
control over which users from their domain go into this group.
The next group is a universal group. Using a universal group allows all the global groups
from all the different domains to be combined together. Doing it this way reduces the amount
of replication required in the forest each time a change occurs. You now have a group
that contains forest wide users that can be used anywhere in the forest.
Next the universal group is put into the domain local group or domain local groups. Domain
local groups are local to the domain and thus can only be used in that domain. This limits
their use to only that domain allowing better control and auditing. Using this approach
allows an administrator to quickly remove or add access to as many or few groups in
that domain as required.
The domain local group is then applied to the resource as a permission. This allows
the local administrator to have control over how permissions on the resource are controlled.
At any time you can look at the membership of the domain local groups and audit access
to a resource.
There is a lot to AGUDLP and it is often difficult for the new IT administrator to understand
why you would even need it. But if you consider a very large group of companies it makes sense
why you would need a system that allows delegation of control, efficiency in replication, flexibility
for changes and ease of auditing. In a large company with many different departments and
locations, having this kind of control is essential and invaluable.
That’s it for group strategy. In the next video I will look at universal group caching.
This allows a domain controller to cache universal groups locally when a global catalog is not
available. This allows a user to login when a global catalog server is not available.
Thanks for watching another video from IT Free Training. All our videos are free of
charge and available for you to watch on YouTube. See you next time.