[SOLVED] WES! I need your help!
I'm pretty sure it was in one of your videos, Wes....
In an MTA video, I'm looking for the scene where you are talking about user and resources, and the latest Microsoft-suggested practice of:
You had a graphic up and even had an acronym. Something like U-G-???-R for Users-Groups-???-Resources.
Can you help me out?
Thanks!
Hey Michael,
If you can give me the episode you were watching I would be more than willing to help!
Hey @MichaelS ,
Are you thinking of IGDLA and IGUDLA?
These are acronyms for Microsoft's recommended group strategy.
I Identities
Identities are any security principle, like user accounts, computer accounts, etc. Identities are added to Global groups.
G Global groups
Global groups allow us to gather up security principles that have the same access requirements. Rather than assign permissions to individual identities, we put them in a global group, and assign the access once. Global groups are added to either Universal groups or Domain local groups.
U Universal groups (In a multi domain environment, in a single domain skip U)
Global groups cannot contain members from other domains. So in a multi-domain environment, we might have sales users in each domain. Each domain might have a global group names "Sales Users". Both of these global groups can be added to a universal group, maybe called "All Sales Users". allowing us to only assign the access once, even when users are from multiple domains. Universal groups are added to Domain local groups.
DL Domain local groups
Domain local groups are used to assign access. They are added to the DACL on resources. For example, we might have a DL group named "Reports-Read", and another named "Reports-FullControl" Each group would be assigned the appropriate permission on the reports folder. Global groups (in a single domain environment) or Universal groups (in a multi-domain environment) are added to domain local groups, and permissions are assigned to domain local groups.
A Access
Access is the permission being assigned. It is assigned to domain local groups.
Thank you to both for taking the time to reply!
Yes, Mike, the IGDLA is what I was looking for. Thanks! We are moving to Azure and I'm suggesting that we use this. I mentioned it Friday before I left and today people thought it was a good idea!
