To grant user and service accounts the access that is required to perform their task, create Active Directory groups according to certain rules.
Create Active Directory groups according to the following rules:
- Add user and service accounts to universal groups in the parent domain.
- Add the global groups in each child domain to the universal groups.
- Where applicable, assign access rights and permissions to the global groups, located in the child domains, and the universal groups, located in the parent domain (rainpole.local) to specific products according to their role.
Universal Groups in the Parent Domain
In the rainpole.local domain, create the following universal groups:
|Group Name||Group Scope||Description|
|ug-SDDC-Admins||Universal||Administrative group for the SDDC|
|ug-SDDC-Ops||Universal||SDDC operators group|
|ug-vCenterAdmins||Universal||Group with accounts that are assigned vCenter Server administrator privileges.|
|ug-vra-admins-rainpole||Universal||Tenant administrators group|
|ug-vra-archs-rainpole||Universal||Tenant blueprint architects group|
|ug-vROAdmins||Universal||Groups with vRealize Orchestrator Administrator privileges|
Global Groups in the Child Domains
In each child domain, add the role-specific universal group from the parent domain to the relevant role-specific global group in the child domain.
|Group Name||Group Scope||Description||Member of Groups|
|SDDC-Admins||Global||Administrative group for the SDDC||RAINPOLE\ug-SDDC-Admins|
|SDDC-Ops||Global||SDDC operators group||RAINPOLE\ug-SDDC-Ops|
|vCenterAdmins||Global||Accounts that are assigned vCenter Server administrator privileges.||RAINPOLE\ug-vCenterAdmins|