To grant user and service accounts the access that is required to perform their task, create Active Directory groups according to certain rules.

Create Active Directory groups according to the following rules:

  1. Add user and service accounts to universal groups in the parent domain.  
  2. Add the universal groups to global groups in each child domain.
  3. Where applicable, assign access rights and permissions to the global groups, located in the child domains, and the universal groups, located in the parent domain (rainpole.local) to specific products according to their role.

Universal Groups in the Parent Domain

In the rainpole.local domain, create the following universal groups:

Table 1. Universal Groups in the rainpole.local Parent Domain
Group Name Group Scope Description
ug-SDDC-Admins Universal Administrative group for the SDDC
ug-SDDC-Ops Universal SDDC operators group
ug-vCenterAdmins Universal Group with accounts that are assigned vCenter Server administrator privileges.
ug-vra-admins-rainpole Universal Tenant administrators group
ug-vra-archs-rainpole Universal Tenant blueprint architects group
ug-vROAdmins Universal Groups with vRealize Orchestrator Administrator privileges

Global Groups in the Child Domains

In each child domain, add the role-specific universal group from the parent domain to the relevant role-specific global group in the child domain.

Table 2. Global Groups in the Child Domains
Group Name Group Scope Description Member of Groups
SDDC-Admins Global Administrative group for the SDDC RAINPOLE\ug-SDDC-Admins
SDDC-Ops Global SDDC operators group RAINPOLE\ug-SDDC-Ops
vCenterAdmins Global Accounts that are assigned vCenter Server administrator privileges. RAINPOLE\ug-vCenterAdmins