1
00:00:00,940 --> 00:00:04,980
Let's take a look at Microsoft's current guidance with reference

2
00:00:04,980 --> 00:00:07,620
to how you actually implement these groups,

3
00:00:07,620 --> 00:00:10,920
whether they're built‑in groups or administrator‑defined groups.

4
00:00:10,920 --> 00:00:15,580
Let's take a look at how we can integrate universal groups, global groups,

5
00:00:15,580 --> 00:00:18,420
domain‑local groups, and individual users.

6
00:00:18,420 --> 00:00:22,570
And this practice has really not changed too much over the last 20

7
00:00:22,570 --> 00:00:25,390
odd years, so it makes a lot of sense for me.

8
00:00:25,390 --> 00:00:26,470
Let's see what you think.

9
00:00:26,470 --> 00:00:28,520
First, we have, as I mentioned before,

10
00:00:28,520 --> 00:00:32,450
organizing your domain users principally by their job function

11
00:00:32,450 --> 00:00:34,950
and access requirements into global groups.

12
00:00:34,950 --> 00:00:35,450
And again,

13
00:00:35,450 --> 00:00:39,230
although the membership of a global group is limited to the current domain,

14
00:00:39,230 --> 00:00:42,420
you can include global groups and access control lists

15
00:00:42,420 --> 00:00:44,740
across your entire forest enterprise.

16
00:00:44,740 --> 00:00:47,190
So users go into global groups.

17
00:00:47,190 --> 00:00:51,680
The global groups can go one or both of the following two ways.

18
00:00:51,680 --> 00:00:54,830
If you're going to implement universal groups, in other words,

19
00:00:54,830 --> 00:00:57,850
if you're in a larger multi‑domain environment,

20
00:00:57,850 --> 00:00:59,650
you want to keep in mind two things.

21
00:00:59,650 --> 00:01:00,800
One, you can do that.

22
00:01:00,800 --> 00:01:06,010
It's nice to conveniently populate related workers across domains or even

23
00:01:06,010 --> 00:01:10,740
across forest trusts into a universal group that you can give permissions to

24
00:01:10,740 --> 00:01:13,660
once instead of having to do it a number of times.

25
00:01:13,660 --> 00:01:16,960
But remember that the global catalog is required to

26
00:01:16,960 --> 00:01:19,590
process any Active Directory logon.

27
00:01:19,590 --> 00:01:20,750
But in particular,

28
00:01:20,750 --> 00:01:25,060
one of the things that the global catalog also does is enumerates universal

29
00:01:25,060 --> 00:01:28,980
group memberships. And it used to be more of an issue 20 years ago, but

30
00:01:28,980 --> 00:01:33,250
depending upon how much available network bandwidth you have, if you have a big

31
00:01:33,250 --> 00:01:38,480
organization with lots of users and you're churning or changing the membership

32
00:01:38,480 --> 00:01:40,450
of the universal groups regularly,

33
00:01:40,450 --> 00:01:45,530
then you've got Active Directory replication and global catalog updates to deal

34
00:01:45,530 --> 00:01:48,940
with, and you can wind up with slower than expected logons.

35
00:01:48,940 --> 00:01:51,880
So it's best to keep your universal group memberships as

36
00:01:51,880 --> 00:01:55,340
static as possible or consider not even using universal

37
00:01:55,340 --> 00:01:58,900
groups if you're in a single domain, single forest environment.

38
00:01:58,900 --> 00:02:00,260
But anyway, that's an option.

39
00:02:00,260 --> 00:02:03,720
The other option would be to populate your global groups

40
00:02:03,720 --> 00:02:06,040
directly into domain local groups.

41
00:02:06,040 --> 00:02:10,170
Remember that domain local groups exist and are available only to your domain

42
00:02:10,170 --> 00:02:15,040
controllers, and we then can use or reference those domain local groups when

43
00:02:15,040 --> 00:02:18,230
we're giving permissions and user rights to our users.

44
00:02:18,230 --> 00:02:21,530
So you can see that separation of duties. You're going to focus

45
00:02:21,530 --> 00:02:24,850
your authorization efforts at the domain local group level and

46
00:02:24,850 --> 00:02:27,580
attach that to your applications, your services,

47
00:02:27,580 --> 00:02:29,140
your files, and folders,

48
00:02:29,140 --> 00:02:32,860
this sort of stuff, Group Policy assignments. Your users are being

49
00:02:32,860 --> 00:02:37,510
organized into global groups, and that way, you can modularly patch in and

50
00:02:37,510 --> 00:02:41,930
patch out global groups into those domain local groups without having to

51
00:02:41,930 --> 00:02:44,240
modify any of your access permissions.

52
00:02:44,240 --> 00:02:48,380
This is a good pattern, like I said. I did mention in the introduction to this

53
00:02:48,380 --> 00:02:52,680
learning path that the Hybrid Cloud Administrator Certification is actually as

54
00:02:52,680 --> 00:02:55,530
an associate‑level cert not intended for beginners,

55
00:02:55,530 --> 00:03:02,000
but I do try to be as well rounded and complete of an instructor as I can. Anyway, let's get going.