As I was reading stuff about Active directory, Organisational Unit and groups, I understood that most of them where misleading. Truckload of misleading documents that are written, I decided to tell my version of it. I didn't have any Windows server at hand to make some serious perusal.
So I decided to, first buy the cheapest but yet good computer that I could find on Ebay. I bought a computer for 50€... 2 NICs, and used a copy of Windows Server 2003 SP3 to get things right. Well I could not afford more at the moment... I resigned to install a Windows Server series (2003 here) on a fairly good computer ;-) To get the hack of this mysterious and tricky thing... I got it right at once.
My feedback is. It is not that tricky. As I know understand how it works. I'm glad to share it with you
So, how does this work ? Actually this is quiet simple and, straight forward. Once you have established your Active Directory to manage your Domain, you'll have to create your OUs. Then in your OUs, you'll have to create your Groups.
So, how to organize your groups ? First you will create your groups based on the activity of people. Let's say Sales for... Sales, and then include your salesmen in it. "But, Sales have only one person !" you'll say. Soooo ? Ok then.
- Create your Sales user. Call it salesman1 or, sl1for example.
- Create a Global group called Sales.
- Create 2 local domain groups called salesRW and salesR.
[Users]=>[Global Groups]=>[Local Domain Groups]=>[NTFS properties]=>[Folders]
If you try to include a LDG in a GG, a Windows AD mechanism will insult you politely ;-)
So it is kind of foolproof here. What is next ? Next is the access to the resources.
What are Global Groups, Local Domain Groups ? Shortly :
- Global Groups are groups that can interact in between domains.
- Local Domain Groups are groups that can only interact in the local domain.
What type of resources on the local domain, is available for the SalesRW group ? Well, let's say you have a shared folder called "Best_Sales_this_month" You want salesman1 to have a read and write access to it. So you'll need to edit the folder properties and add the LDG SalesRW with read/write permissions on this very folder. Yeah ?
So, you see it is not rocket science. Unfortunately people who wants to learn it by the book may find it very hard (As I did). Which is to me pretty strange... Anyways, I'll hope to have made this more clear for some of us.