What is group nesting?
Group nesting makes it easier to manage access to resources
In almost all cases, you should use groups to control access to resources instead of giving permissions to individual user objects. Placing groups within groups (also called group nesting), is an important part of designing and using groups to control access to resources.
If you nest groups, you can manage multiple objects and groups simultaneously, and you can provide a more modular and flexible group structure. Nesting creates a hierarchy of groups that support your business roles and management rules.
What is IGDLA?
IGDLA is a best practice for nesting groups
IGDLA is an acronym
- Identities. Create user and computer accounts.
- Global groups. Create global groups based on business roles. For example, Sales, and Auditors. Add identities to the global groups.
- Domain-local groups. Create domain-local groups based on management rules. For example, ACL_SalesFolders_Read to consolidate Sales and Auditors. Add global groups to the domain-local groups.
- Access resources. Assign permissions for the domain-local group to resources. For example, add the domain-local group to the folder’s ACL.
In the forest it is IGUDLA
In a multi-domain forest, the best practice for group nesting is known as IGUDLA. The additional letter U stands for universal groups, which fit in between global and domain-local groups.
Group Nesting Example
Consider this scenario where you have three domains and in each domain there are five people who need access to a file in one of the domains.
How many file permissions do you need to create to assign permissions on this file for each user?
- Consider that you now group the users in each domain into global groups. So, you now have three global groups, one for each domain.
How many permissions on the file do you need to assign now?
- Now, suppose you create a domain local group and add the global groups.
How many permissions must you assign to the domain local group?
No comments:
Post a Comment