When creating Active Directory groups, follow account rules and create prespecified universal groups in the parent domain and global groups in the child domain.

Account Rules

To grant user and service accounts the access that is required to perform their task, create Active Directory groups according to the following rules.

  1. Add user and service accounts to universal groups in the parent domain.  

  2. Add the universal groups to global groups in each child domain.

  3. Assign access right and permissions to the local groups in the child domains according to their role.

Universal Groups in the Parent Domain

In the rainpole.local domain, create the following universal groups:

Table 1. Universal Groups in the rainpole.local Parent Domain

Group Name

Group Scope

Description

ug-SDDC-Admins

Universal

Administrative group for the SDDC

ug-SDDC-Ops

Universal

SDDC operators group

ug-vCenterAdmins

Universal

Group with accounts that are assigned vCenter Server administrator privileges.

Global Groups in the Child Domains

In each child domain, sfo01.rainpole.local, add the role-specific universal group from the parent domain to the relevant role-specific global group in the child domain.

Table 2. Global Groups in the sfo01.rainpole.local Child Domain

Group Name

Group Scope

Description

Member of Groups

SDDC-Admins

Global

Administrative group for the SDDC

RAINPOLE\ug-SDDC-Admins

SDDC-Ops

Global

SDDC operators group

RAINPOLE\ug-SDDC-Ops

vCenterAdmins

Global

Accounts that are assigned vCenter Server administrator privileges.

RAINPOLE\ug-vCenterAdmins