AD User Group Design Scenario
To: Junior Admin
I received your e-mail asking how to provide access to resources throughout your AD environment and you are not sure which strategies are best for the different situations you are encountering. I would recommend that since you have a domain for each department, such as Marketing, accessing one printer is very easy. To start, you will need to create a group that allows access to the one printer within each department. Once you have created each group you will then assign it to a domain local group, global group, and then to a universal group. Finally adding it to the Marketing domain group.
With your HR, you will need to take all the users within the forest and add them to a global group, and then the universal group. Next, take the universal group and add it to the domain local group within their domain. These users will then have access to whatever is in that universal group, and therefore you must make sure that you assign the printer for them to print vacation requests to the HR department.
With R&D, you will need to take a slightly different approach. To allow access to only the server, you have to first create a domain local group that has some administrative rights. Then you will need to add them to a customized admins group that you have control of. You can then assign the permissions and rights as you create and assign them. Remember to limit access to their local machines only. Through the desktop local user account settings, you will be able to do all of this. This is just one of the approaches you can take. If you choose you can take a different approach. If you have any further questions or problems feel free to contact me again.
Best of luck
IT Admin
I received your e-mail asking how to provide access to resources throughout your AD environment and you are not sure which strategies are best for the different situations you are encountering. I would recommend that since you have a domain for each department, such as Marketing, accessing one printer is very easy. To start, you will need to create a group that allows access to the one printer within each department. Once you have created each group you will then assign it to a domain local group, global group, and then to a universal group. Finally adding it to the Marketing domain group.
With your HR, you will need to take all the users within the forest and add them to a global group, and then the universal group. Next, take the universal group and add it to the domain local group within their domain. These users will then have access to whatever is in that universal group, and therefore you must make sure that you assign the printer for them to print vacation requests to the HR department.
With R&D, you will need to take a slightly different approach. To allow access to only the server, you have to first create a domain local group that has some administrative rights. Then you will need to add them to a customized admins group that you have control of. You can then assign the permissions and rights as you create and assign them. Remember to limit access to their local machines only. Through the desktop local user account settings, you will be able to do all of this. This is just one of the approaches you can take. If you choose you can take a different approach. If you have any further questions or problems feel free to contact me again.
Best of luck
IT Admin