MCITP 70-640: AGUDLP Group Strategy

preview_player
Показать описание
This video looks at role based Strategy for Active Directory called AGUDLP. AGUDLP can be used in multiple domain environments to provide distributed control between different domain administrators while still being able to provide access to resources at the forest level.

What AGUDLP standards for
A Accounts
G Global Groups
U Universal Groups
DL Domain Local Groups
P Permissions

Advantages of AGUDLP
Allows administration to be divided up between different administrators in the forest. Administrators can have control at the forest level or control can be separated at the domain or resources level.

Since AGUDLP is a role base strategy, when a user changes their role, for example promoted or transferred, access can quickly and easily be changed.
AGUDLP also allows easy auditing. By looking in the group it can quickly be determined who has access to which resources.

Why each group is used
Global Groups
Global groups only contain users, computers, and other global groups from the same domain. Using a global group allows the administrator to divide up control between different domains. For example, if you wanted a sales group that had all sales users from all domains in the forest, you would first create a global group for the sales users in each domain. This allows the domain administrators in each domain to be responsible for keeping this group up to date.

Universal Groups
Universal groups allow users, computers, global groups and other universal groups to be members. Because of this, they can have the global groups from all the other domains to be members of this group. For example, a universal group could have as members the sales group from all the other domains. Universal groups are available forest wide and thus are replicated using the global catalog server. For this reason, you will want to reduce replication as much as possible in the forest. Replication will only occur when membership of the universal group has changed. Since the universal group contains global groups, the membership of the global groups can change without affecting the membership of the universal group. The only time the universal group would need to be replicated is when a global group is added or removed from the universal group.

Domain Local Group
The domain local group is applied to the resources as a permission. Domain local groups can only be used in the domain that they were created in. By using domain local groups, a local domain administrator can simply add the domain local group to the resources and configure the appropriate permissions. This administrator may not have access to change the membership of the other groups, which means that they do not have control over which users go into the group. This does not affect their ability to use the group on local resources. This means that by using a domain local group, the scope of the group can be limited to use for that domain only and also be delegated out to other administrators. At this level, it is easy to add or remove the universal group to any domain local group as required, making changing access very quick and flexible.

  1. ITFreeTraining
  2. AGUDLP
  3. AGUDLP Group Strategy
  4. Active Directory
  5. 70-640
  6. MCITP
Рекомендации по теме
MCITP 70-640: AGUDLP 0:10:19

MCITP 70-640: AGUDLP Group Strategy

MCITP 70 640 0:10:19

MCITP 70 640 AGUDLP Group Strategy

MCITP 70-640: Group 0:11:13

MCITP 70-640: Group Strategy AGDLP

MCITP 70-640: Active 0:09:38

MCITP 70-640: Active Directory Groups

MCITP 70-640: Local 0:09:23

MCITP 70-640: Local Group Management with Preferences

MCITP 70-640: Default 0:15:44

MCITP 70-640: Default Local Groups

MCITP 70-640: Domain 0:13:41

MCITP 70-640: Domain Groups

MCITP 70-640: Active 0:18:41

MCITP 70-640: Active Directory different group types available

MCITP 70 640 0:18:41

MCITP 70 640 Active Directory different group types available

MCITP 70-640: RSAT 0:10:26

MCITP 70-640: RSAT & Snap-ins

MCITP 70-640: Operators 0:12:08

MCITP 70-640: Operators Master Role Placement Global catalog

AGDLP and AGUDLP 0:01:37

AGDLP and AGUDLP

MCITP 70-640:Delegation of 0:06:34

MCITP 70-640:Delegation of Control

MCITP 70-640: Active 0:10:03

MCITP 70-640: Active Directory Accounts

MCITP 70-640: Operation 0:13:03

MCITP 70-640: Operation Master Roles

MCITP 70-640: Windows 0:06:20

MCITP 70-640: Windows Contacts

MCITP 70-640:Organizational Unit 0:16:59

MCITP 70-640:Organizational Unit & Shadow Groups

MCITP 70-640: Built-in 0:11:14

MCITP 70-640: Built-in Groups Domain Controllers and Server

MCITP 70-640: Seizing 0:16:35

MCITP 70-640: Seizing roles

MCITP 70-640: Special 0:12:12

MCITP 70-640: Special Identities

MCITP 70-640: Group 0:11:12

MCITP 70-640: Group Policy Loopback Processing

MCITP 70 640 0:06:20

MCITP 70 640 Windows Contacts

MCITP 70-640: Group 0:06:11

MCITP 70-640: Group Policy Replication

Visualizing Groups in 0:20:21

Visualizing Groups in Microsoft Active Directory

Комментарии
Автор

Universal groups are available to all domains in the forest. There are not available to other forests. The only group that can be used across forest is the global group.
Glad you like the videos and thanks for watching.

itfreetraining
Автор

Finally a nice resource that dispels the complexity of group scopes! I was reading the book Active Directory 5th Edition by Brian Desmond and frankly, his explanation was baffling, even though I'm reading the chapter for the second time. I just sat down and watched 'MCITP 70-640: Active Directory different group types available', 'MCITP 70-640: Group Strategy AGDLP' as well as this video and everything clicked in for me. Thanks for making such a fundamental Active Directory concept simple and understandable!

georgibg
Автор

Really informative. I am sure everyone who watched your video would have appreciated your effort. God Bless.

sunilchauhan
Автор

Thank you very much. Thanks for watching.

itfreetraining
Автор

No problem at all, thanks for watching.

itfreetraining
Автор

Grate Video Sir, I understood 100% in both AGDLP and AGUDLP thanks a lot your awesome.

BugsbunnyEh
Автор

Thanks for that, I really appreciate it. I wasnt sure hence the question, the response time on the question was very quick - quicker than most IT training providers lol

ianhardingham
Автор

Thank you for demystifying something thats confused me for a while.

liptongtr
Автор

This stuff is so complicated but simple a great solution once understood as it reduces overhead. I case you are wandering: AGUDLP (an abbreviation of "Account, Universal group, Global group, Domain local group, Permission").

BijouBakson
Автор

Wait a minute.  3:38 is where I get confused.  Apparently we're adding users from different domains (top salesperson from each domain) to global groups.  That, so I've learned, is not possible.  Global groups can only contain users from the domain of the group's origin.  They can be applied forest-wide, but membership is restricted to the local domain.  

Atreus
Автор

Hi, thanks for the video, I am learning loads, quick question though:
Is Universal Group a forest wide group or is it applicable across multiple forests?
Thanks for the videos, I am studying for my MCP via this and I got a new job because of your videos - amazing thank you.

ianhardingham
Автор

Hi, do you have any topic regarding active directory backing up and restore, DFS or FRS??

lordjack
Автор

Thanks for valuable source.  
one confusion here to me,  At 4:59, if Global group remove any of which does not effect to uni group. 
At this stage if any employee has been changed to global excess from uni excess.... what happens?

kaushalpatel
Автор

Is a domain local group can not be a member of universal group ??

bajishaik