In this exercise we’re working on setting up an authorization strategy to control access to resources in an Active Directory (AD) forest.
We are gonna organize group memberships and permissions effectively to ensure proper access within a domain -> AGDLP strategy
1. Setting Up Group Structure
We’ll start by planning and creating a structure of groups within our Active Directory. This involves organizing users into global groups based on their roles, which makes it easier to manage permissions at a group level instead of assigning access to each user individually. By creating global groups within a specific organizational unit (OU), we’re setting up a logical organization for user access in our domain.
2. Assigning Permissions to Resources
we’ll create a shared resource on one of our client machines and set permissions so only certain groups can access it! This task focuses on assigning the appropriate access rights to domain local groups, which are specifically designed for controlling resource access within the domain. By doing this, we’re setting clear boundaries for which users or groups can interact with this resource and how.
3. Linking Group Levels for Effective Access Control
We’ll connect our global groups to domain local groups. This nesting strategy lets us control resource permissions by managing the global groups that contain our users. This approach follows the AGDLP model (Account-Global, Domain Local-Permission), where users are added to global groups and those global groups are included in domain local groups with specific permissions. This structure streamlines access management and ensures that permissions are correctly inherited and easy to adjust in the future.
4. Tests
We’ll start by logging in as one of the users we added to the group that has access to the resource. By doing this, we’re verifying that our permissions setup works as expected, allowing the user to view and interact with the shared folder.
Then, we’ll try logging in as a different user who wasn’t added to the group with access to the resource. This user shouldn’t be able to open or modify the folder, confirming that our access restrictions are correctly applied.