To grant user and service accounts the access that is required to perform their task, create Active Directory groups according to the following rules:

1

Add user and service accounts to universal groups in the parent domain.  

2

Add the universal groups to global groups in each child domain.

3

Assign access right and permissions to the local groups in the child domains according to their role.

In the rainpole.local domain, create the following universal groups:

Universal Groups in the rainpole.local Parent Domain

Group Name

Group Scope

Description

ug-SDDC-Admins

Universal

Administrative group for the SDDC

ug-SDDC-Ops

Universal

SDDC operators group

ug-ITAC-TenantAdmins

Universal

Tenant administrators group

ug-ITAC-TenantArchitects

Universal

Tenant blueprint architects group

ug-vCenterAdmins

Universal

Group with accounts that are assigned vCenter Server administrator privileges.

ug-vROAdmins

Universal

Groups with vRealize Orchestrator Administrator privileges

In each child domain, sfo01.rainpole.local and lax01.rainpole.local, add the role-specific universal group from the parent domain to the relevant role-specific global group in the child domain.

Global Groups in the sfo01.rainpole.local and lax01.rainpole.local Child Domains

Group Name

Group Scope

Description

Member of Groups

SDDC-Admins

Global

Administrative group for the SDDC

RAINPOLE\ug-SDDC-Admins

SDDC-Ops

Global

SDDC operators group

RAINPOLE\ug-SDDC-Ops

ITAC-TenantAdmins

Global

Tenant administrators group

RAINPOLE\ug-ITAC-TenantAdmins

ITAC-TenantArchitects

Global

Tenant blueprint architects group

RAINPOLE\ug-ITAC-TenantArchitects

vCenterAdmins

Global

Accounts that are assigned vCenter Server administrator privileges.

RAINPOLE\ug-vCenterAdmins