Overview

Introduction

Welcome to the Implement Group Nesting. In this module you will be provided with the instructions and devices needed to develop your hands-on skills.

Learning Outcomes

In this module, you will complete the following exercises:

  • Exercise 1 - Prepare Environment for Group Nesting
  • Exercise 2 - Implement Group Nesting

After completing this lab, you will be able to:

  • Create a new child domain
  • Create OU and security groups for group nesting
  • Implement group nesting using A-G-DL-P
  • Implement group nesting using A-G-U-DL-P
  • Verify access to resources from a parent domain or child domain when group nesting is enabled
  • Convert a group based on group scope and group type

Exam Objectives

The following exam objectives are covered in this lab:

  • Understand accounts and groups - group types, default groups, group scopes, group nesting, understand AGDLP and AGUDLP processes to help implement nesting

Lab Duration

It will take approximately 45 minutes to complete this lab.

Exercise 1 - Prepare Environment for Group Nesting

Managing access to network resources like applications, folders/files for large organizations that span more than on Active Directory domain can be significantly simplified with the use of group nesting. Group nesting is the process of adding security groups to other security groups.

Group nesting depends on the group scopes in a Windows AD domain, namely:

Domain local group - is a group scope originating from the same domain. This group can be granted permissions and rights in the same domain. User accounts, universal group and global groups from any trusted domain can be added as members.

Global group - is a group scope that can be granted permissions and rights in another trusted domain. Global group can be added into a Domain local group.

Universal group - is a group for rounding up user accounts, universal and global groups from any trusted domain. Membership in this group scope is normally kept static, as changes in the group membership in the universal group are replicated throughout the Active Directory forest that includes multiple domains.

Implementing group nesting can cut help reduce the number of permissions to access corporate assets and simplify the assignment of user rights to perform system tasks such as loading/unloading devices drivers.

In this exercise, you will prepare the lab environment for group nesting by creating a child domain. On this child domain, you will create the necessary Active Directory objects like an OU, security group and user to validate the concept of group nesting between Active Directory domains.

Exercise 2 - Implement Group Nesting

Group Nesting (a group within another group) is the process of adding a Windows security group into another security group to simplify the process of assigning permission and system rights. The group nesting feature is beneficial if an organization has more than one Active Directory (AD) domain, for example, a parent and child domain. This is the lab setup that was configured in the previous exercise where PRACTICELABS.COM is the parent and below it, is the child domain called APAC-CORP.

When a corporate asset is shared between two AD domains, group nesting is used to ensure that permissions are assigned only once to a Domain Local (DL) group which is the best practice. A Domain Local (DL) group is local to a domain. Permissions (P) and rights are typically granted to a Domain Local (DL) group as the resource is found in the domain itself. The resource can be folder, files or applications that are accessed in the domain locally.

There are two strategies to follow when implementing group nesting. The first one is A-G-DL-P. The Accounts (A) are added as members in the Global group (G), then the global group is added as a member of a Domain Local (DL), and permissions (P) are granted to Domain Local group.

The second is A-G-DL-U-P. The Accounts (A) are added as members in the Global group (G), then the global group is added as a member of a Universal group (U), the universal group is added as a member of a Domain Local (DL) and permissions are granted to Domain Local group.

The Universal group is useful for large organizations that span more than two or more AD domains. This group is used as a vehicle to organize global groups coming from different AD domains. The membership to a Universal group is replicated to the entire AD forest. Therefore, its membership must not often be changing.

The A-G-U-DL-P strategy is not mandatory for large organizations, as an A-G-DL-P option is simpler and easier to implement.

In this exercise, you will test the two group nesting strategies A-G-DL-P and A-G-U-DL-P and validate access to network assets by letting a standard network user connect to the resource in another domain.

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.