Plan to incorporate Nesting Strategies for Riordan
Active Directory (AD) refers to as directory service that is created by Microsoft for windows-based domain networks. AD acts as a central focal point of administration of network and security and is accountable for authorization and authentication mechanisms within Windows domain network. It also assigns and enforces security guidelines for all computing nodes in the network, and installs and updates software on computers in the network.
Nesting is a useful ability that has been used to classify users into groups with permissions and rights. For instance, you have a resource called MYRESOURCE and you want to be accessed by all full-time workers. Since there may be no group called FTEs that consist of all full-time workers in the entire organization, but departmental administrators have come up with a structure whereby full-time workers are placed into groups and part-time workers are placed in another. To create a general FTE group, you can take different groups of workers from different departments (for example ADMIN_FTE, ACCTG_FTE, SALES_FTE and PRODUCTION_FTE) then categorize them under new group named ALL_FTE. After this you can assign access rights to MYRESOURCE by permitting ALL_FTE group to access and use the resource. At the end of this process you would have nested the several departmental groups into one big group.
There are different sorts of accounts in AD. User accounts refer to the actual clients of the system. Groups are categories of users categorized on the basis of function, department, and needs. User accounts are categorized into two namely: domain user accounts that are capable of accessing any resource available in their local system, as well as any other group that the account is its member; local accounts whereby the users are on local computers and are able to access what that local machine permits.
A fundamental understanding of these groups helps in designing and determining the choices to pick for a new group. You also need know the objects contain plus the overall intention of the group.
For group scope, you are finding out the exact place of use of the group in the AD enterprise. Here, your group choice determines a lot regarding the manner in which you intent to use the group in the overall assignment of permissions. The general outline of group and user nesting is intended as follows: users get into Global Groups, Global Groups to Domain Local Groups; Domain Local Groups are then listed on the Access Control List (ACL) of the resource.
For Universal Groups, the nesting guidelines are as follows:
Users get into Global Groups, Global groups to Universal Groups, Universal Groups to Domain Local Groups, and Domain Local groups are listed on the Access Control List of the source.
Domain Local group is a scope intended to consist of Global Groups and Universal Groups though it can as well contain user accounts and other Domain Local Groups. It can only be seen and used on controllers if domain is under mixed mode. Global Groups is a scope intended to keep user accounts and other Global groups. User accounts can only be contained if domain is under mixed mode. Universal Groups is a scope intended to keep Global Groups from multiple domains i.e. they help group groups in multi-domain enterprise. However, it is not usable as Security Groups if domain is under mixed mode. Since this Group gives permissions similar to the administrator’s, it is not suitable to be used in Riordan Manufacturing for their network.
Security Groups has a distinct feature in that a Security Identifier (SID) is assigned to it from the AD. SID promotes the function of the group so that it can be used to assign and control resource accessibility. Absence if SID in Distributed Groups accounts for its limited capability. Distribution Groups are intended for emails, and not for assignment of access rights to resources.
Riordan Manufacturing needs to incorporate Local Groups, Global Groups and Universal Groups in the AD. The most important consideration is to allow growth of network and lessen the permission count.
Every organizational would consist of shared resource together with its individual resources. Having identified the need of resources, they are then placed on domain local groups. Global Groups having equivalent need of resources would be placed in the suitable Domain Local Groups and would have same access rights as Domain Local Group.
References
Hunter, L. E., & Allen, R. (2008). Active Directory Cookbook. UK: O'Reilly Media, Inc.
Price, J. A., Price, B., & Fenstermacher, S. (2008). Mastering Active Directory for Windows Server 2008. Australia: John Wiley & Sons.
Suhanovs, D. (2003). MCSE Windows Server 2003 Active Directory Infrastructure Study Guide (Exam 70-294). New York: McGraw-Hill Professional.